COMPUTER SECURITY

1
 Group 5

Members
Prince Mupangavanhu – R192721N
Wayne Nzvere – R132500H
Nyasha P Muzeanenhamu – R191197V
Edwin M Muzeza – R1814999V
Anotida H.M Pasi – R1815002M
Clive Masawi – R1814915Q
Tatenda G Rufu – R193782A
Silvanos Dambwa – R192722A
Royal Guta – R193881Y
 CHAPTER 3

Fundamental Security Design Principles

Security Design Principles
Attack Surfaces
Attack Trees
Attack Tree for Internet Banking
Authentication
 SECURITY DESIGN PRINCIPLES

What is a “principle” ?
a fundamental truth or proposition serving as the foundation for belief or
action.

We define a security design principle as… .

a declarative statement made with the intention of guiding security design
decisions in order to meet the goals of a system

4
10 KEY SECURITY PRINCIPLES

5
 TEN KEY SECURITY PRINCIPLES
• Assign the least privilege • Fail securely & use secure
possible defaults

• Separate responsibilities • Never rely upon obscurity

• Trust cautiously • Implement defence in depth

• Simplest solution possible • Never invent security

technology

• A u dit sensitive events • Find the weakest link

6
 1- LEAST PRIVILEGE

Broad privileges allow malicious or accidental access to

Why?
protected resources

Principle Limit privileges to the minimum for the context

Tradeoff Less convenient; less efficient; more complexity

Run server processes astheir own users with exactly

Example
the set of privileges they require
7
 2 - SEPARATE RESPONSIBILITIES

Achieve control and accountability, limit the impact of

Why?
successful attacks, make attacks less attractive
Separate and compartmentalise responsibilities and
Principle
privileges
Development and testing costs; operational complexity:
Tradeoff
troubleshooting more difficult
“Payments” module administrators have no
Example
access to or control over “Orders” module
features
8
 3- TRUST CAUTIOUSLY

Many security problems caused by inserting malicious

Why?
intermediaries in communication paths
Assume unknown entities are untrusted, have aclear
Principle
process to establish trust, validate who is connecting
Operational complexity (particularly failure recovery);
Tradeoff
reliability; some development overhead
Don't accept untrusted RMI connections, use client
Example
certificates, credentials or network controls
9
 4- SIMPLEST SOLUTION POSSIBLE
The price of reliability is the pursuit of the utmost simplicity - C.A.R. Hoare

Security requires understanding of the design -

Why?
complexity rarely understood - simplicity allows analysis
Actively design for simplicity - avoid complex failure
Principle
modes, implicit behaviour, unnecessary features, …
Hard decisions on features and sophistication;
Tradeoff
Needs serious design effort to be simple
Does the system really need dynamic runtime
Example
configuration via a custom DSL?
10
 5 - AUDIT SENSITIVE EVENTS

Provide record of activity, deter wrong doing, provide a

Why?
log to reconstruct the past, provide amonitoring point
Record all security significant events in a
Principle
tamper- resistant store

Tradeoff Performance; operational complexity; dev cost

Record changes to "core" business entities in an append-

Example
only store with (user, ip, timestamp, entity, event)
11
 6 - SECURE DEFAULTS & FAIL SECURELY

Default passwords, ports & rules are “open doors”

Why?
Failure and restart states often default to
“insecure”
Force changes to security sensitive parameters
Principle
Think through failures - to be secure but recoverable

Tradeoff Convenience

Don’t allow “SYSTEM/MANAGER” after installation

Example
On failure don’t disable or reset security controls
12
 7 - NEVER RELY ON OBSCURITY

Hiding things is difficult - someone is going

Why?
to find them, accidentally if not on purpose
Assume attacker with perfect knowledge, this
Principle
forces secure system design

Tradeoff Designing atruly secure system takes time and effort

Assume an attacker will guess a"port knock" network

Example
request sequence or apassword obfuscation technique
13
 8 - DEFENCE IN DEPTH

Systems do get attacked, breaches do happen, mistakes

Why?
are made - need to minimise impact
Don’t rely on single point of security, secure every level,
Principle
stop failures at one level propagating
Redundancy of policy; complex permissioning and
Tradeoff
troubleshooting; can make recovery difficult

Example Access control in UI, services, database, OS

14
 9 - NEVER INVENT SECURITY TECH

Security technology is difficult to create - avoiding

Why?
vulnerabilities is difficult
Don’t create your own security technology - always
Principle
use a proven component
Time to assesssecurity technology; effort to learn it;
Tradeoff
complexity
Don’t invent your own SSO mechanism, secret storage
Example
or crypto libraries … choose proven components
15
 10 - SECURETHEWEAKEST LINK

"Paper Wall" problem - common when focus

Why?
is on technologies not threats
Find the weakest link in the security chain and
Principle
strengthen it - repeat! (Threat modelling)
Significant effort required; often reveals problems at
Tradeoff
the least convenient moment!
Data privacy threat => encrypted communication but
Example
with unencrypted database storage and backups
16
 Attack Surfaces

An attack surface is the entire area of an organization

or system that is susceptible to hacking. It’s made up of
all the points of access that an unauthorized person
could use to enter the system. Once inside your
network, that user could cause damage by
manipulating or downloading data.
 What are the primary attack surfaces?
Network attack surface (i.e., network vulnerability)

Software attack surface (i.e., software vulnerabilities)

Human attack surface (e.g., social engineering)

 What are the primary attack surfaces?
Network attack surface (i.e., network vulnerability

Businesses today are connecting to the Internet using more and more devices. This creates more
gateways for cybercriminals to carry out cyberattacks.

Along with an exploding volume of data generated using these devices, new data also estimates that
there will be close to 50 billion connected Internet of Things (IoT) devices used worldwide by 2030.

Ransomware and hybrid ransomware attacks are significant threats to devices. A ransomware attack
on its own is bad enough as it allows hackers to take control of a device, and then demand a ransom
before the user can regain control.
 What are the primary attack surfaces?
Software attack surface (i.e., software vulnerabilities)

Ransomware and hybrid ransomware attacks are significant threats to devices. A ransomware attack
on its own is bad enough as it allows hackers to take control of a device, and then demand a ransom
before the user can regain control.
 What are the primary attack surfaces?
Human attack surface (e.g., social engineering)

Sophisticated cyberattacks primarily target employees because they are often the weakest link in the
digital security chain. In the Verizon DBIR 2020 report, human error accounts for 22% of breaches.
According to Gartner, 95% of cloud breaches occur due to human errors such as configuration
mistakes, and this is expected to continue.

Adding more risk, password policies and other safeguards designed to protect people, such as multi-
factor authentication (MFA), are not standard practice within most SMB organizations. And worse,
recent research shows that password behaviors continue to be an issue — 91% of people know that
using the same password on multiple accounts is a security risk, yet 66% continue to use the same
password anyway.

Attackers also use social engineering techniques to gain access to networks through employees.
Social engineering tricks people into handing over confidential company information. The hacker
often contacts employees via email, pretending to be a credible organization or even a colleague.
Most employees do not have the knowledge to defend themselves against these advanced social
engineering attacks.
 An attack tree

Attack trees are diagrams that depict attacks on a system in tree form. The tree root is the goal for
the attack, and the leaves are ways to achieve that goal. Each goal is represented as a separate tree.
Thus, the system threat analysis produces a set of attack trees.
Attack Tree for Internet Banking Authentication

The attack tree model for common attacks against online banking systems is presented in
Diagram below. This model represents the main components of banking systems
authorization and authentication mechanisms and efficient attacks against them.
The attacks exploit vulnerabilities inherent in the people (engineering social and phishing)
then to gain control of device (malware) and credential theft legitimate user (fake Web
pages and malware).
Attack Tree for Internet Banking Authentication
Attack Tree for Internet Banking Authentication
CREDENTIAL THEFT
This kind of attack is the simplest and most commonly performed against banking systems. It
basically consists in obtaining the necessary credentials and user data in order to access the
system as a legitimate user, providing information normally known only to legitimate users.

DEVICE CONTROL
The device control objective is to obtain full control of the user's device instead of only stealing
data used in the authentication process. The user's device itself is then used by the attacker to
access the banking service and perform frauds. This attack is more complex than credential theft
and tracing its origin is much more difficult because the attacker never directly accesses the online
banking service.

Malware
Malware targets end user devices such as computers and cell phones and install a malware which
pose a risk to the bank’s cyber security each time they connect to the bank’s network.
Sensitive data passes through this connection and the end user device installed with malware on
it, will attack the bank’s networks.
 Attack Tree for Internet Banking Authentication

Fake Web Page by use of Spoofing

A newer type of cyber security threat is spoofing , where hackers will find a way to impersonate a
banking website’s URL with a website that looks and functions exactly the same. When a user
enters his or her login information, that information is then stolen by hackers to be used later, the
new spoofing techniques do not use a slightly different but similar URL and they are able to target
users who visited the correct URL.

Social Engineering
Social engineering is the act of exploiting human weaknesses to gain access to personal
information and protected systems. Social engineering relies on manipulating individuals rather
than hacking computer systems to penetrate a target’s account. The most common social
engineering is phishing
Thank you … questions?