Professional Documents
Culture Documents
Cloud
IoT Security
Web
Computer Security: Principles and Practice
Fourth Edition, Global Edition By: William Stallings and Lawrie Brown
WEB, CLOUD & IOT SECURITY Team
TTTN3513: COMPUTER & NETWORK SECURITY Modellers
cloud computing
NIST defines cloud “cloud computing: a model for enabling ubiquitous, convenient,
computing, in nist sp- on-demand network access to a shared pool of configurable
800-145 (the nist computing resources (e.g., networks, servers, storage, applications,
definition of cloud and services) that can be rapidly provisioned and released with
minimal management effort or service provider interaction. this
computing, september
cloud model promotes availability and is composed of five
2011) as follows: essential characteristics,
three service models, and four deployment models.”
abuse and nefarious criminals use anonymity behind stricter initial registration and validation processes
1 use of cloud some registration processes
enhanced credit card fraud monitoring and coordination
comprehensive inspection of customer network traffic
computing allow users to conduct activity monitoring public blacklists for one’s own network blocks
insecure interfaces cloud services rely upon APIs for analyzing the security model of CSP interfaces
2 and API’s many of the management ensuring that strong authentication and access controls
functions and as customers build are implemented in concert with encrypted
upon these APIs it creates transmission
complexity and risks.
understanding the dependency chain associated with
the APIs
malicious insiders increased by the combination of enforce strict supply chain management and conduct a
3 services and customers under a
comprehensive supplier assessment
specify human resource requirements as part of legal
single management domain contract
require transparency into overall information security and
management practices, as well as compliance reporting
determine security breach notification processes
shared technology added risk with shared services implement security best practices for
4 issues and possible virtualization installation/configuration
monitor environment for unauthorized changes/activity
promote strong authentication and access control for
administrative access and operations
enforce slas for patching and vulnerability remediation
conduct vulnerability scanning and configuration audits
data loss or leakage increased due to the number of enforce strict supply chain management and conduct a
5 and interactions between risks
comprehensive supplier assessment
specify human resource requirements as part of legal
and challenges which are unique contract
to cloud require transparency into overall information security and
management practices, as well as compliance reporting
determine security breach notification processes
account or service same attack methods, but risk prohibit the sharing of account credentials between
6 hijacking increased users and services
leverage strong two-factor authentication techniques
where possible
employ proactive monitoring to detect unauthorized
activity
understand csp security policies and slas
unknown risk profile new way of business disclosure of applicable logs and data
7 partial/full disclosure of infrastructure details
monitoring and alerting on necessary information
The principal objective is to enable creating and managing huge groups of virtual
private servers in a cloud computing environment
OpenStack is embedded, to one degree or another, into data center infrastructure and
cloud computing products
It provides multi-tenant IaaS, and aims to meet the needs of public and private clouds,
regardless of size, by being simple to implement and massively scalable
definition
examples
Built-in-sensors
Smart Devices (thermostats)
Home Appliance (networked & remote
monitoring)
There is a crisis point with The embedded devices are Chip manufacturers have
The device manufacturers
regard to the security of riddled with vulnerabilities strong incentives to produce
focus is the functionality of
embedded systems, including and there is no good way to their product as quickly and
the device itself
IoT devices patch them cheaply as possible
• ITU-T Recommendation Y.2066 includes a list of security requirements for the IoT
• The requirements are defined as being the functional requirements during capturing,
storing, transferring, aggregating, and processing the data of things, as well as to the
provision of services which involve things
• The requirements are:
• Communication security
• Data management security
• Service provision security
• Integration of security policies and techniques
• Mutual authentication and authorization
• Security audit
Source: https://www.cisco.com/c/dam/en_us/about/security/images/csc_child_pages/white_papers/iot-figure4.jpg
Resilient
to lost Confidentiality
messages
MiniSec is
designed to
meet the
following
requirements:
Low
Replay
energy
overhead protection
Freshness
browser attacks
program
man-in-the- page-in-the-
keystroke logger download false contents defaced website
browser middle substitution
• If A cannot be assured that the sender of a message is really B, A cannot trust the
authenticity of anything in the message.
• Your bank takes steps to authenticate you, but how can you authenticate your bank? –
not mutually authenticated
• One-Time Password - As its name implies, a one-time password is good for only
one time usage. To use a one-time password scheme, the two end parties need to
have a shared secret list of passwords.
• When one password is used, both parties mark the word off the list and use the next word
the next time.
• Token can also be used
• Integrity Checksums –
• A checksum, hash code, or error detection code is a mathematical function that reduces a
block of data (including an executable program) to a small number of bits.
• Changing the data affects the function’s result in mostly unpredictable ways, meaning that it
is difficult—although not impossible—to change the data in such a way that the resulting
function value is not changed.
• Using a checksum, you trust or hope that significant changes will invalidate the checksum
value
• To detect data modification, administrators use integrity-checking tools, such as Tripwire
program
• An attack that uses the improper way of coding of your web applications
• Allows hacker to inject SQL commands into fields in a form, such as text boxes
and text area, to allow them to gain access to the data held within your database.
• these fields allow SQL statements to pass through, and query the database
directly.
(2) SQL
injections
(2) SQL
injections
(2) SQL
injections
Server Code:
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
SQL injections-
example (1)
Server Code:
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
• Let's say, that the original purpose of the code was to create an SQL
statement to select a user with a given user id.
• If there is nothing to prevent a user from entering "wrong" input, the
user can enter some "smart" input like this:
Server Result
SELECT * FROM Users WHERE UserId = 105 or 1=1
• The SQL above is valid. It will return all rows from the table Users,
since WHERE 1=1 is always true.
WEB, CLOUD & IOT SECURITY Team
TTTN3513: COMPUTER & NETWORK SECURITY Modellers 93
SQL injections- example (1)
• Does the example above seems dangerous? What if the Users table
contains names and passwords?
• Another try:
• A smart hacker might get access to all the user names and passwords
in a database by simply inserting 105 or 1=1 into the input box.
Server Code:
uName = getRequestString("UserName");
uPass = getRequestString("UserPass");
sql = "SELECT * FROM Users WHERE Name ='" + uName + "' AND
Pass ='" + uPass + "'"
Result:
• The only proven way to protect a web site from SQL injection attacks, is to
use SQL parameters.
• SQL parameters are values that are added to an SQL query at execution
time, in a controlled manner.
• Examples (ASP.NET):
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = @0";
db.Execute(txtSQL,txtUserId);
• Email phishing, in which someone tries to trick you into revealing personal
information by sending fake emails that look legitimate
• Remains one of the biggest online threats
• This forgery was relatively well done: the images were clear and the language was
correct;
• sometimes forgeries of this sort have serious spelling and syntax errors, although the quality
of unauthentic emails has improved significantly.
• Attackers using fake email know most people will spot the forgery.
• On the other hand, it costs next to nothing to send 100,000 messages, and even if
the response rate is only 0.1%, that is still 100 potential victims.