YUSIF SULEIMAN

[2308-0703-0223]

INTERNATIONAL ADVANCE DIPLOMA IN NETWORK &COMPUTER SECURITY SECURITY IN SYSTEM DEVELOPMENT (CSM202) ASSIGNMENT TERM 3 2012 Student declaration: I declare that: I understand what is meant by plagiarism The implication of plagiarism has been explained to me by my institution This assignment is all my own work and I have acknowledged any use of the published and unpublished works of other people. Students signature:. Total number of pages including this cover page 29/10/2012 Submission Date Due Date 2308-0703-0223 Students ID Class Code Students Full Name Yusif Suleiman Mr. Ibrahim Lecturers Name OFFICIAL USE ONLY Markers comments Date: 29\10\2012

06/11/2012 GROUP 1

Markers name

Initial mark awarded Penalty on late submission Penalty for plagiarism Final mark awarded

/100

/100

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 1

YUSIF SULEIMAN

[2308-0703-0223]

Table of Contents
CONTENT PAGES Cover ..1 Table of Contents........2 List of Figures..3 List of Tables...3 1.0 Introduction.......5 1.1 Description of Vulnerabilities........5 What is Vulnerability...5 The Web Application Security Gap....5 How it Affect the System....6 Top Web Application Vulnerabilities & Security Threats..7 1.2 Proof of Concept8 1.2.1 SQL Injection8 1.2.2 Counter Measures for SQL Injection...12 1.3.1 CSRF....13 1.3.2 Counter Measures for CSRF....19 1.4.1 Denial of Service..20 Modes of Attacks....20 1.4.2 Counter Measures for DOS..25

2.1 Existing System Function26 2.2 Description of Customers Services......26 2.3 Bank Use Case List......29 2.4 Bank Abuse Case List......30 2.5 Bank Abuse Case Counter Measures ......31 3.1 References...32

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 2

YUSIF SULEIMAN
List of Figures, Tables and Diagrams

[2308-0703-0223]

1. Figure 1.2.1: SQL command to generate a specific error message .8 2. Figure 1.2.2: Beginning Web Scan...8 3. Figure 1.2.3: Entering Web Address....9 4. Figure 1.2.4: Beginning Testing....9 5. Figure 1.2.5: Vulnerabilities Shown....10 6. Figure 1.2.6: Final Report....10 7. Figure 1.3.1: CSRF......13 8. Figure 1.3.2: Entering Apple web address...14 9. Figure 1.3.3: Finding Target.....14 10. Figure 1.3.4: Login Web Scan..15 11. Figure 1.3.5: Completing Login Web...15 12. Figure 1.3.6: Beginning Web Scan...16 13. Figure 1.3.7: Element of Vulnerabilities..16 14. Figure 1.3.8: Vulnerabilities Shown....17 15. Figure 1.3.9: Vulnerabilities Shown as CSRF....17 16. Figure 1.3.10 Final Report for CSRF....18 17. Figure 1.4.1: DOS Starting Point.....20 18. Figure 1.4.2: Entering MTN web address...20 19. Figure 1.4.3: Finding Target.....21 20. Figure 1.4.4: Login Web Scan..21 21. Figure 1.4.5: Scan Began.....22 22. Figure 1.4.6: Vulnerabilities Shown....22 23. Figure 1.3.8: Definition of DOS......23 24. Figure 1.4.8: Final Report for DOS Vulnerability...23 25. Figure 2.1: 26. Figure 2.2: 27. Table 2.1: First Bank Website.28 First Bank Description of Customer Services....28 Use Case Index...29

28. Diagram 2.1: Use Case List...29 29. Diagram 2.1: Abuse Case List..30 30. Diagram 2.1: Abuse Case Counter Measures.31
CSM202 SECURITY IN SYSTEM DEVELOPMENT Page 3

YUSIF SULEIMAN Question 1

[2308-0703-0223]

Identify three (3) possible web (or cloud computing based) application vulnerabilities. Write a report with the following headings: Description of vulnerabilities Proof of Concept Possible Counter Measures

Answer

1.0
1.1

INTRODUCTION
DESCRIPTION OF VULNERABILITIES

What is Vulnerability? Vulnerability is a flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy. A threat is a potential attack that, by exploiting vulnerability may harm the assets owned by an application (resources of value, such as the data in a database or in the file system). A test is an action that tends to show vulnerability in the application. Web application vulnerability also refers to Weakness in Custom Web Application, Architecture, Design, Configuration, or Code.

The Web Application Security Gap (How Does It?) There is a lack of awareness of application vulnerabilities in security departments. Security Departments scrutinize the desktop, the network, and even the web servers, but the web application escapes their measures. Even in departments that want to audit for web application vulnerabilities, the lack of effective tools has made it impractical As a result, Certification and Accreditation programs rarely examine the web application
Page 4

CSM202 SECURITY IN SYSTEM DEVELOPMENT

YUSIF SULEIMAN
-

[2308-0703-0223]

In fact, the entire development cycle is usually missing from security procedures and controls

This illustrates the fundamental gap between security and development, which creates these web application vulnerabilities

Many traditional information security practitioners are ill-equipped to mitigate application security issues Little to no experience coding No experience coding in modern enterprise environments like .NET and J2EE Understand that there are risks, but not in a position to address them or no resources to manage the issues

How it Affect the System Web Application vulnerabilities occur in different areas: Platform, Administration and Application. -The web server itself is subject to a variety of known vulnerabilities, all of which must be readily patched for. The actual administration and management of the server and contents is very important A misconfigured server or poorly managed content can permit system file and source code disclosure The application itself is of the utmost importance. It too can inadvertently reveal source code and system files, and even allow full system access. It can mistakenly allow replay attacks against your customers. It could allow a hacker to impersonate your customers. In addition it is the web application that interacts with the database to manage and tracks customer information and store business and transaction information . One slip-up in the web application can expose the entire system and database, right through a web browser, right over port 80.

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 5

YUSIF SULEIMAN
Top Web Application Vulnerabilities and Security Threats 1. Unvalidated input 2. Broken access control 3. Broken authentication and Access Control 4. Cross-site scripting (XSS) Flaws 5. Buffer overflows 6. Injection flaws 7. Improper error handling 8. Insecure storage 9. Application denial-of-service 10. Insecure configuration management 11. SQL injection 12. Parameter tampering 13. Cookie poisoning 14. Buffer overflow 15. Malicious File Execution 16. Insecure Direct Object Reference 17. Cross Site Request Forgery (CSRF) 18. Information Leakage 19.Session Management 20. Insecure Cryptographic Storage 21. Insecure Communications 22. Failure to Restrict URL Access 23. Database Server

[2308-0703-0223]

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 6

YUSIF SULEIMAN

[2308-0703-0223]

1.2

PROOF OF CONCEPT

I choose to check the following web vulnerabilities for my project SQL Injection using www.facebook.com Cross Site Request Forgery (CSRF) www.apple.com Denial of Services (DOS) www.mtnonline.com

1.2.1 SQL Injection SQL injection is a very old approach but it's still popular among attackers. This technique allows an attacker to retrieve crucial information from a Web server's database. Depending on the application's security measures, the impact of this attack can vary from basic information disclosure to remote code execution and total system compromise. It has been rated from Moderate to Highly Critical Previously vulnerable products: PHPNuke, MyBB, Mambo CMS, ZenCart, osCommerce This attack applies to any database, but from an attacker's perspective there are a few "favorites." MS SQL has the feature of an extended stored procedure call, which allows any system level command to be executed via the MS SQL server such as adding a user. Also, the error messages displayed by the MS SQL server reveals more information than a comparable MySQL server. While MS SQL server is not especially prone to a SQL injection attacks, there are security measures which should be implemented to make it secure and not allow the SQL server to give out critical system information. Here is an example of vulnerable code in which the user-supplied input is directly used in a SQL query: <form action="sql.php" method="POST" /> <p>Name: <input type="text" name="name" /><br /> <input type="submit" value="Add Comment" /></p> </form> <?php $query = "SELECT * FROM users WHERE username = '{$_POST['username']}"; $result = mysql_query($query); ?> The script will work normally when the username doesn't contain any malicious characters. In other words, when submitting a non-malicious username (steve) the query becomes:

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 7

YUSIF SULEIMAN
$query = "SELECT * FROM users WHERE username = 'steve'";

[2308-0703-0223]

However, a malicious SQL injection query will result in the following attempt:

$query = "SELECT * FROM users WHERE username = '' or '1=1'"; As the "or" condition is always true, the mysql_query function returns records from the database. A similar example, using AND and a SQL command to generate a specific error message, is shown in the URL below in Figure 1.2.1

Figure 1.2.1 Base on the following Figures we will understand the SQL Injection testing on Facebook web server using WebCruiser web application vulnerability scanner.

Figure 1.2.2 shows the beginning of how we launch the scanner

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 8

YUSIF SULEIMAN

[2308-0703-0223]

Figure 1.2.3entering the web address to be tested

Figure 1.2.4 beginning of the testing

CSM202 SECURITY IN SYSTEM DEVELOPMENT Page 9

YUSIF SULEIMAN

[2308-0703-0223]

Figure 1.2.5 Vulnerabilities shown

Figure 1.2.6 final report: the webcruiser trial version scanner is limited to generate the final results.
CSM202 SECURITY IN SYSTEM DEVELOPMENT Page 10

YUSIF SULEIMAN

[2308-0703-0223]

It is obvious that the error messages help an attacker to get a hold of the information which they are looking for (such as the database name, table name, usernames, password hashes etc). Thus displaying customized error messages may be a good workaround for this problem, however, there is another attack technique known as Blind SQL Injection where the attacker is still able to perform a SQL injection even when the application does not reveal any database server error message containing useful information for the attacker.

1.2.2 COUNTER MEASURES FOR SQL INJECTION 1. Avoid connecting to the database as a superuser or as the database owner. Always use customized database users with the bare minimum required privileges required to perform the assigned task. 2. If the PHP magic_quotes_gpc function is on, then all the POST, GET, COOKIE data is escaped automatically. 3. PHP has two functions for MySQL that sanitize user input: addslashes (an older approach) and mysql_real_escape_string (the recommended method). This function comes from PHP >= 4.3.0, so you should check first if this function exists and that you're running the latest version of PHP 4 or 5. MySQL_real_escape_string prepends backslashes to the following characters: \x00, \n, \r, \, ', "and \x1a.

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 11

YUSIF SULEIMAN

[2308-0703-0223]

1.3.1 CROSS SITE REQUEST FORGERY A CSRF attack forces a logged-on victims browser to send a pre-authenticated request to a vulnerable web application, which then forces the victims browser to perform a hostile action to the benefit of the attacker. CSRF can be as powerful as the web application that it attacks in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. Cross-Site Request Forgery (CSRF) is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's email address, home address, or password, or purchase something. CSRF attacks generally target functions that cause a state change on the server but can also be used to access sensitive data. Applications are vulnerable if any of following: Does not re-verify authorization of action Default login/password will authorize action Action will be authorized based only on credentials which are automatically submitted by the browser such as session cookie, Kerberos token, basic authentication, or SSL certificate etc.

Eliminate any Cross Site Scripting vulnerabilities Not all CSRF attacks require XSS However XSS is a major channel for delivery of CSRF attacks

Generate unique random tokens for each form or URL, which are not automatically transmitted by the browser. Do not allow GET requests for sensitive actions. For sensitive actions, re-authenticate or digitally sign the transaction. In this way, the attacker can make the victim perform actions that they didn't intend to, such as logout, purchase item, change account information, retrieve account information, or any other function provided by the vulnerable website. Sometimes, it is possible to store the CSRF attack on the vulnerable site itself. Such vulnerabilities are called Stored CSRF flaws. This can be accomplished by simply storing an IMG or IFRAME tag in a field that accepts HTML, or by a more complex cross-site scripting
CSM202 SECURITY IN SYSTEM DEVELOPMENT Page 12

YUSIF SULEIMAN

[2308-0703-0223]

attack. If the attack can store a CSRF attack in the site, the severity of the attack is amplified. In particular, the likelihood is increased because the victim is more likely to view the page containing the attack than some random page on the Internet. The likelihood is also increased because the victim is sure to be authenticated to the site already. CSRF attacks are also known by a number of other names, including XSRF, "Sea Surf", Session Riding, Cross-Site Reference Forgery, Hostile Linking. Microsoft refers to this type of attack as a One-Click attack in their threat modeling process and many places in their online documentation. The following sequence of figures describes how I tested the CSRF Vulnerability on Apple store web site.

Figure 1.3.1

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 13

YUSIF SULEIMAN

[2308-0703-0223]

Figure 1.3.2 shows entering the apple web address Figure 1.3.3 finding the target web

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 14

YUSIF SULEIMAN
Figure 1.3.4 login the web site

[2308-0703-0223]

Figure 1.3.5 complete login web site for vulnerability scan

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 15

YUSIF SULEIMAN
Figure 1.3.6 scanning web began

[2308-0703-0223]

Figure 1.3.7 elements of vulnerabilities shows

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 16

YUSIF SULEIMAN
Figure 1.3.8 many vulnerabilities element

[2308-0703-0223]

Figure 1.3.9 vulnerability definition as CSRF

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 17

YUSIF SULEIMAN
Figure 1.3.10 Final Report results

[2308-0703-0223]

1.3.2 COUNTER MEASURES FOR CSRF Countermeasures for CSRF: Client/User Logoff immediately after using a web application Do not allow your browser TO SAVE Username/passwords, and do not allow sites to remember your login Do not use the same browser to access sensitive applications and to surf freely the Internet; if you have to do both things at the same machine, do them with separate browsers. Integrate HTML-enabled mail/browser, newsreader/browser environments pose additional risks since simply viewing a mail message or a news message might lead to the execution of an attack Countermeasures for CSRF: Developer Add session-related information to the URL Use POST instead of GET Automatic logout mechanisms Rely on referrer headers

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 18

YUSIF SULEIMAN
1.4.1 DENIAL OF SERVICE

[2308-0703-0223]

Denial-of-service attack (DOS) is a type of attack on a network that is designed to bring the network resource to its knees by flooding it with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols. For all known DoS attacks, there are software fixes that system administrators can install to limit the damage caused by the attacks. But, like viruses, new DoS attacks are constantly being dreamed up by hackers. Another typically used DoS is to send packets with the SYN flag to a server, initiating a session, but not sending a packet with the ACK flag, thereby leaving the server in an unresponsive state as it waits for responses. Primary goal of the attack is to deny the victim(s) access to a particular resource. Including information that may help you respond to such an attack. A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. Examples include attempts to "flood" a network, thereby preventing legitimate network traffic attempts to disrupt connections between two machines, thereby preventing access to a service o attempts to prevent a particular individual from accessing a service o attempts to disrupt service to a specific system or person
o o

Not all service outages, even those that result from malicious activity, are necessarily denial-of-service attacks. Other types of attack may include a denial of service as a component, but the denial of service may be part of a larger attack. Illegitimate use of resources may also result in denial of service. For example, an intruder may use your anonymous ftp area as a place to store illegal copies of commercial software, consuming disk space and generating network traffic Modes of Attack Denial-of-service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack:
o o o

Consumption of scarce, limited, or non-renewable resources Destruction or alteration of configuration information Physical destruction or alteration of network components

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 19

YUSIF SULEIMAN
Figure 1.4.1 shows the starting point

[2308-0703-0223]

Figure 1.4.2 entering the web site to be tested

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 20

YUSIF SULEIMAN
Figure 1.4.3 target checking

[2308-0703-0223]

Figure 1.4.4 complete login web site for vulnerability scan

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 21

YUSIF SULEIMAN
Figure 1.4.5 beginning of scan

[2308-0703-0223]

Figure 1.4.6 vulnerabilities shown

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 22

YUSIF SULEIMAN
Figure 1.4.7 definition of DOS find on the MTN web site

[2308-0703-0223]

Figure 1.4.8 Final vulnerability result report for www.mtnonline.com

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 23

YUSIF SULEIMAN

[2308-0703-0223]

1.4.2 COUNTER MEASURES FOR DOS Defending against Denial of Service attacks typically involves the use of a combination of attack detection, traffic classification and response tools, aiming to block traffic that they identify as illegitimate and allow traffic that they identify as legitimate. A list of prevention and response tools is provided below:

Firewalls
Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses. Some DoS attacks are too complex for many firewalls, e.g. if there is an attack on port 80 (web service), packet filter firewalls cannot prevent that attack because they cannot distinguish good traffic from DoS attack traffic. Additionally, firewalls may be too deep in the network hierarchy. Routers may be affected before the traffic gets to the firewall. Nonetheless, firewalls can effectively prevent users from launching simple flooding type attacks from machines behind the firewall.

Switches
Most switches have some rate-limiting and ACL capability. Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial of service attacks through automatic rate filtering and WAN Link failover and balancing. These schemes will work as long as the DoS attacks are something that can be prevented by using them. For example SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS can be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using Bogon filtering. Automatic rate filtering can work as long as you have set rate-thresholds correctly and granularly. Wan-link failover will work as long as both links have DoS/DDoS prevention mechanism.

Routers
Similar to switches, routers have some rate-limiting and ACL capability. They, too, are manually set. Most routers can be easily overwhelmed under DoS attack. If you add rules to take flow statistics out of the router during the DoS attacks, they further slow down and complicate the matter. Cisco IOS has features that prevent flooding.

Application front end hardware

Application front end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches.
CSM202 SECURITY IN SYSTEM DEVELOPMENT Page 24

YUSIF SULEIMAN

[2308-0703-0223]

Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors. Hardware acceleration is key to bandwidth management.

IPS based prevention

Intrusion-Prevention Systems (IPS) are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems which work on content recognition cannot block behavior-based DoS attacks. An ASIC based IPS can detect and block denial of service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way. A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic.

DDS based defense

More focused on the problem than IPS, a DoS Defense System (DDS) is able to block connection-based DoS attacks and those with legitimate content but bad intent. A DDS can also address both protocol attacks (such as Teardrop and Ping of death) and rate-based attacks (such as ICMP floods and SYN floods). Like IPS, a purpose-built system, such as the well-known Top Layer IPS products, can detect and block denial of service attacks at much nearer line speed than a software based system.

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 25

YUSIF SULEIMAN Question 2

[2308-0703-0223]

You are to create use case and abuse case analysis; and counter measures for the abuse case system. Your task: Study an existing systems function. Choose a function of the system and write a description of it (including print screens). Create use-case list (use your slides as a guide of structure). For each use-case create a list of abuse-case. For each abuse-case, create a counter measures for it.

Answer
2.1 EXISTING SYSTEM FUNCTION

First Bank of Nigeria PLC is a Nigeria-based bank that offers a range of financial services. The Bank is divided into three business segments: Corporate banking, Personal banking and ebanking Services. Its products are targeted at corporate and individuals customers. The Bank operates through several subsidiaries, providing a range of banking services, including corporate banking, capital market operations, funds management, insurance brokerage, trusteeship, registrar ship and pension custodianship.

2.2

DESCRIPTION OF CUSTOMER SERVICES

First Bank offer banking services to individuals, consumer banking is also provision of products and services to meet the financial needs of individuals with a steady and verifiable income flow. Here are some of our Consumer Banking Products; U-First U-First is a suite of retail and consumer loan products designed for individuals and small businesses to enable them meet their business and personal needs.
CSM202 SECURITY IN SYSTEM DEVELOPMENT Page 26

YUSIF SULEIMAN
Generic Savings Account

[2308-0703-0223]

It is a hybrid savings account that runs on a savings platform with current account features for your convenience. Generic Current Account With FirstBanks current account, you just cant go wrong. You can carry out unlimited 3rd party transactions seamlessly and enjoy the inherent benefits. FirstPremium Term Deposit Account FirstPremium Term Deposit is a value-added term deposit product which offers higher interest rates than the conventional term deposit First Savings Plus Account It is a hybrid savings account that runs on a savings platform with current account features for your convenience. First Hi-Fi (Children) Account This is a special account designed for children from age 0 18 years to sensitize and cultivate savings culture within this age bracket and to help parents plan towards the future of their children and wards. FirstCurrent Plus (Zero COT Account) Withdrawal is limited to five (5) times in a month, where a customer exceeds the number of withdrawals, the account will default to N5.00/mille COT on the total customer induced transactions for that month FirstCurrent Business Account A fee-based current account that allows customers carry out numerous transactions without paying COT. FirstDom Account Are you upwardly mobile? Then First Dom Plus is designed for you. It is an account that encourages you to save your foreign currency while still giving you the opportunity to earn higher interest on account balances.

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 27

YUSIF SULEIMAN
FirstInstant Account

[2308-0703-0223]

The FirstInstant Account is savings product designed for the unbanked and underbanked to enhance financial inclusion

Figure 2.1 First Bank Web Site

Figure 2.1 First Bank Description of Customer Services

CSM202 SECURITY IN SYSTEM DEVELOPMENT Page 28

YUSIF SULEIMAN
2.3 BANK USE CASE LIST

[2308-0703-0223]

In software and systems engineering, a use case is a list of steps, typically defining interactions between a role (known in Unified Modelling Language UML as an "Actor") and a system, to achieve a goal. The actor can be a human or an external system. In systems engineering, use cases are used at a higher level than within software engineering, often representing missions or stakeholder goals. The detailed requirements may then be captured in SysML or as contractual statements

Use-Case List
Keep Account Data Up to date

Pay Money

Bank Officer

Deposit

Withdrawal

Perform transaction Transfer Inquiry

Perform online transaction

Integrity of transaction Bank Customer Session/Counter

Use-Case Index
Use case ID 1 2 3 4 Use case Name Update account data Deposit Withdrawal Inquiry Primary Actor Bank officer Bank customer Bank customer Bank customer Scope In In Out Out Priority 1 1 1 2

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 29

YUSIF SULEIMAN
2.4 BANK ABUSE-CASE LIST

[2308-0703-0223]

Abuse-case is a process of intentional use of computer system to crack unauthorized data from government computer database, financial centers and school information systems. Computers as a tools like any other tools can be used by people with intent of causing damage or carrying out some form of illegal activities. There are a number of ways in which computers can be used by attacker for crime. For e.g. real world crimes such as forgery, fraud, piracy, damaging or modifying computerised systems. Computers and the Internet are complex, but they function on a very narrow set of technical principles. This provides great flexibility, but makes it very difficult for activity of one without affecting others and to categorise the misuse of any one of them.

Abuse-Case List
Keep Account Data Up to date
Unsecure network medium Perform online transaction

Bank Officer

Deposit

Withdrawal

Perform transaction Transfer

Intercept Money Money transfer to Unintended account

Attacker

Inquiry Integrity of transaction

Change details of transaction

Session/Counter

Bank Customer
Transfer Money to another account

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 30

YUSIF SULEIMAN
2.5 BANK ABUSE-CASE COUNTER MEASURES

[2308-0703-0223]

Abuse-Case Countermeasures address vulnerabilities to reduce the probability of attacks or the impacts of threats. They do not directly address threats; instead, they address the factors that define the threats, and can have a different impact on attacks. A countermeasure can alleviate the effect of a vulnerability, patch it, or prevent malicious tasks or systems functionalities that bring the vulnerabilities. These impacts are modeled through alleviate, patch, and prevent links respectively. The following diagram will show how links are protected in order to stop attackers gaining access customers bank details.

Abuse-Case Counter Measures

Ensure Account Privacy

Keep Account Data Up to date

Use secure network Protocol

Perform online transaction

Apply Cryptographic Procedure

Bank Officer

Deposit

Withdrawal

Attacker Perform transaction Transfer

Install IP Filtering & Firewall Make online service unavailable

Inquiry Integrity of transaction

Change details of transaction

Session/Counter

Bank Customer
Transfer Money to another account

Diagram 2.4

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 31

YUSIF SULEIMAN 3.1 REFERENCE

[2308-0703-0223]

1. Justin Seitz (2009). Gray Hat Python: Python Programming for Hackers and Reverse Engineers. Immunity, Inc 1st edition. 2. Marcus Pinto (2011). The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws. 2nd edition 3. Ahmed, N., Matuleviius, R., Mouratidis, H. (2012) A Model Transformation from Misuse Cases to Secure Tropos. In: Proc of the CAiSE12 Forum at the 24th International Conference 4. Wikipedia the free encyclopedia. (2012) http://en.wikipedia.org/wiki/Use_case 5. Wiki Answer Copyright 2012. http://wiki.answers.com/Q/What_is_Denial_of_Service_attack Answers.com Denial of Service attack. Answers Corporation 6. Webopedia(2012). http://www.webopedia.com/TERM/D/DoS_attack.html 7. CERT/CC(2012) http://www.cert.org/tech_tips/denial_of_service.html CERT Coordination Center, Software Engineering Institute,Carnegie Mellon University 8. Mark Dowd, John McDonald, Justin Schuh (2006). The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Addison-Wesley Professional; 1 edition 9. Cadoree, Michelle. (1994). Computer Crime and Security. Washington, D.C.: LC Science Tracer Bullet

CSM202 SECURITY IN SYSTEM DEVELOPMENT

Page 32

Filename: CSM202Proj Directory: C:\Users\YUSUF Template: C:\Users\YUSUF\AppData\Roaming\Microsoft\Templates\Normal.dotm Title: Subject: Author: compaq Keywords: Comments: Creation Date: 10/24/2012 10:39:00 AM Change Number: 27 Last Saved On: 10/25/2012 9:51:00 PM Last Saved By: YUSUF Total Editing Time: 2,036 Minutes Last Printed On: 11/6/2012 10:05:00 AM As of Last Complete Printing Number of Pages: 32 Number of Words: 4,487 (approx.) Number of Characters: 25,578 (approx.)