Web, Cloud IOT Security - Compressed

Security
Cloud
IoT Security
Web
Computer Security: Principles and Practice
Fourth Edition, Global Edition By: William Stallings and Lawrie Brown
WEB, CLOUD & IOT SECURITY Team
TTTN3513: COMPUTER & NETWORK SECURITY Modellers
cloud computing

cloud computing
NIST defines cloud “cloud computing: a model for enabling ubiquitous, convenient,
computing, in nist sp- on-demand network access to a shared pool of configurable
800-145 (the nist computing resources (e.g., networks, servers, storage, applications,
definition of cloud and services) that can be rapidly provisioned and released with
minimal management effort or service provider interaction. this
computing, september
cloud model promotes availability and is composed of five
2011) as follows: essential characteristics,
three service models, and four deployment models.”

cloud deployment models

cloud service models

NIST Cloud Computing Reference Model

cloud computing security issues

data protection in the cloud

risks and countermeasures
issues descriptions countermeasures
abuse and nefarious criminals use anonymity behind  stricter initial registration and validation processes
1 use of cloud some registration processes
 enhanced credit card fraud monitoring and coordination
 comprehensive inspection of customer network traffic
computing allow users to conduct activity  monitoring public blacklists for one’s own network blocks
insecure interfaces cloud services rely upon APIs for  analyzing the security model of CSP interfaces
2 and API’s many of the management  ensuring that strong authentication and access controls
functions and as customers build are implemented in concert with encrypted
upon these APIs it creates transmission
complexity and risks.
 understanding the dependency chain associated with
the APIs

malicious insiders increased by the combination of  enforce strict supply chain management and conduct a
3 services and customers under a
comprehensive supplier assessment
 specify human resource requirements as part of legal
single management domain contract
 require transparency into overall information security and
management practices, as well as compliance reporting
 determine security breach notification processes
shared technology added risk with shared services  implement security best practices for
4 issues and possible virtualization installation/configuration
 monitor environment for unauthorized changes/activity
 promote strong authentication and access control for
administrative access and operations
 enforce slas for patching and vulnerability remediation
 conduct vulnerability scanning and configuration audits

data loss or leakage increased due to the number of  enforce strict supply chain management and conduct a
5 and interactions between risks
comprehensive supplier assessment
 specify human resource requirements as part of legal
and challenges which are unique contract
to cloud  require transparency into overall information security and
management practices, as well as compliance reporting
 determine security breach notification processes
account or service same attack methods, but risk  prohibit the sharing of account credentials between
6 hijacking increased users and services
 leverage strong two-factor authentication techniques
where possible
 employ proactive monitoring to detect unauthorized
activity
 understand csp security policies and slas

unknown risk profile new way of business  disclosure of applicable logs and data
7  partial/full disclosure of infrastructure details
 monitoring and alerting on necessary information

OpenStack
Open-source software project of the OpenStack Foundation that aims to produce an

open-source cloud operating system
The principal objective is to enable creating and managing huge groups of virtual
private servers in a cloud computing environment
OpenStack is embedded, to one degree or another, into data center infrastructure and
cloud computing products
It provides multi-tenant IaaS, and aims to meet the needs of public and private clouds,
regardless of size, by being simple to implement and massively scalable

internet of things (IoT)

the internet of things (IoT)
definition
The IoT involves embedded computing

devices interconnected with the existing
Internet infrastructure
examples
Built-in-sensors
Smart Devices (thermostats)
Home Appliance (networked & remote
monitoring)

iot components

https://uk.rs-online.com/euro/img/global/campaigns/i/iot-chart-final.png
iot / cloud context

patching vulnerability
There is a crisis point with The embedded devices are Chip manufacturers have
The device manufacturers
regard to the security of riddled with vulnerabilities strong incentives to produce
focus is the functionality of
embedded systems, including and there is no good way to their product as quickly and
the device itself
IoT devices patch them cheaply as possible
It is potentially a graver threat

The end user may have no The result is that the hundreds This is certainly a problem
with actuators, where the
means of patching the system of millions of Internet- with sensors, allowing
attacker can affect the
or, if so, little information connected devices in the IoT attackers to insert false data
operation of machinery and
about when and how to patch are vulnerable to attack into the network
other devices

iot security and privacy requirements
• ITU-T Recommendation Y.2066 includes a list of security requirements for the IoT
• The requirements are defined as being the functional requirements during capturing,
storing, transferring, aggregating, and processing the data of things, as well as to the
provision of services which involve things
• The requirements are:
• Communication security
• Data management security
• Service provision security
• Integration of security policies and techniques
• Mutual authentication and authorization
• Security audit

iot security environment
Source: https://www.cisco.com/c/dam/en_us/about/security/images/csc_child_pages/white_papers/iot-figure4.jpg

MiniSec
• MiniSec is an open-source security module that is part of the TinyOS

operating system
• It is designed to be a link-level module that offers a high level of
security, while simultaneously keeping energy consumption low and
using very little memory
• MiniSec provides confidentiality, authentication, and replay protection
• MiniSec has two operating modes, one tailored for single-source
communication, and another tailored for multi-source broadcast
communication

MiniSec Data authentication
Resilient
to lost Confidentiality
messages
MiniSec is
designed to
meet the
following
requirements:
Low
Replay
energy
overhead protection
Freshness

web security

security issue: web browser
• Security issues for browsers, arise

from several complications:
• A browser often connects to more than
the one address shown in the browser’s
address bar.
• Fetching data can entail accesses to
numerous locations to obtain pictures,
audio content, and other linked
content.
• Browser software can be malicious or
can be corrupted to acquire malicious
functionality.

• Popular browsers support add-ons,

extra code to add new features to the
browser, but these add-ons themselves
can include corrupting code.
• www.tripwire.com/state-of-security/latest-
security-news/researchers-discover-google-
chrome-is-plagued-with-malicious-browser-
extensions/ (2014)
• http://www.tripwire.com/state-of-
security/topics/latest-security-news/
• Data display involves a rich command

set that controls rendering, positioning,
motion, layering, and even invisibility.

• The browser can access any data on a

user’s computer (subject to access
control restrictions);
• generally the browser runs with the same
privileges as the user.
• Data transfers to and from the user are

invisible, meaning they occur without
the user’s knowledge or explicit
permission.

number of vulnerabilities
discovered in browsers
internet security threats
report, symantec, april
2016

Attacks on Browsers

attacks on browser
browser attacks
program
man-in-the- page-in-the-
keystroke logger download false contents defaced website
browser middle substitution

how browser attacks succeed: failed
identification and authentication
• The central failure of these in-the-middle attacks is faulty authentication.
• If A cannot be assured that the sender of a message is really B, A cannot trust the
authenticity of anything in the message.
• Your bank takes steps to authenticate you, but how can you authenticate your bank? –
not mutually authenticated

successful identification and authentication
• One-Time Password - As its name implies, a one-time password is good for only
one time usage. To use a one-time password scheme, the two end parties need to
have a shared secret list of passwords.
• When one password is used, both parties mark the word off the list and use the next word
the next time.
• Token can also be used

Protecting Web Sites Against Change
• Integrity Checksums –
• A checksum, hash code, or error detection code is a mathematical function that reduces a
block of data (including an executable program) to a small number of bits.
• Changing the data affects the function’s result in mostly unpredictable ways, meaning that it
is difficult—although not impossible—to change the data in such a way that the resulting
function value is not changed.
• Using a checksum, you trust or hope that significant changes will invalidate the checksum
value
• To detect data modification, administrators use integrity-checking tools, such as Tripwire
program

Obtaining User data
- Code within data

(1) cross site scripting (XSS)
• To a user (client) it seems as if interaction with a server is a direct link, so it is easy

to ignore the possibility of falsification along the way.
• However, web interactions involve several parties, not just the simple case of one
client to one server.
• In an attack called cross-site scripting, executable code is included in the
interaction between client and server and executed by the client or server.

(1) cross site
scripting (XSS)
Victim Hacker /Attacker

XSS
• A very common vulnerability found in Web Applications

• XSS allows the attacker to inject malicious code
• The cause is usually because the developer trusts user inputs, or
without proper coding, then send back user input data to the client
browser so the malicious code will execute.
• Types: reflected XSS (non-persistent), stored XSS (persistent), DOM
XSS (Document Object Model)

XSS
• reflected XSS (non-persistent): script is executed on the victim side

and not stored on the server
• stored XSS (persistent): script is executed and stored on the server
• DOM XSS (Document Object Model) : client-side attack uses server
script & malicious script

(2) SQL injections
• An attack that uses the improper way of coding of your web applications
• Allows hacker to inject SQL commands into fields in a form, such as text boxes
and text area, to allow them to gain access to the data held within your database.
• these fields allow SQL statements to pass through, and query the database
directly.

TTTN3513: COMPUTER & NETWORK SECURITY Modellers 91
https://www.youtube.com/watch?v=3Axp3VDnf0I
(2) SQL
injections
WEB, CLOUD & IOT SECURITY

TTTN3513: COMPUTER & NETWORK SECURITY 91
(2) SQL
injections

(2) SQL
injections

SQL injections- example (1)
http://www.w3schools.com/sql/sql_injection.asp
Server Code:
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
• SQL Injection Based on 1=1 is Always True

• The code creates a SELECT statement by adding a variable (txtUserId) to a select string.
• The variable is fetched from the user input (Request) to the page.

SQL injections-
example (1)

Server Code:
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
• Let's say, that the original purpose of the code was to create an SQL
statement to select a user with a given user id.
• If there is nothing to prevent a user from entering "wrong" input, the
user can enter some "smart" input like this:
Server Result
SELECT * FROM Users WHERE UserId = 105 or 1=1
• The SQL above is valid. It will return all rows from the table Users,
since WHERE 1=1 is always true.
• Does the example above seems dangerous? What if the Users table
contains names and passwords?
• Another try:
SELECT UserId, Name, Password FROM Users WHERE

UserId = 105 or 1=1
• A smart hacker might get access to all the user names and passwords
in a database by simply inserting 105 or 1=1 into the input box.

• SQL Injection Based on ""="" is Always True

• common GUI used to verify user login to a web site:
Server Code:
uName = getRequestString("UserName");
uPass = getRequestString("UserPass");
sql = "SELECT * FROM Users WHERE Name ='" + uName + "' AND
Pass ='" + uPass + "'"

• SQL Injection Based on ""="" is Always True

• A smart hacker might get access to user names and passwords in a database by simply
inserting " or ""=" into the user name or password text box.
Result:
SELECT * FROM Users WHERE Name ="" or ""="" AND

Pass ="" or ""=""
• The result SQL is valid.

• It will return all rows from the table Users, since WHERE ""="" is always true.

SQL injections- protection
• The only proven way to protect a web site from SQL injection attacks, is to
use SQL parameters.
• SQL parameters are values that are added to an SQL query at execution
time, in a controlled manner.
• Examples (ASP.NET):
txtSQL = "SELECT * FROM Users WHERE UserId = @0";
db.Execute(txtSQL,txtUserId);
• Note that parameters are represented in the SQL statement by a @ marker.

• The SQL engine checks each parameter to ensure that it is correct for its
column and are treated accurately, and not as part of the SQL to be executed.

SQL injections-
protection

Phishing Attacks

fake/phishing email
• Email phishing, in which someone tries to trick you into revealing personal
information by sending fake emails that look legitimate
• Remains one of the biggest online threats

fake/phishing email

fake/phishing email
• This forgery was relatively well done: the images were clear and the language was
correct;
• sometimes forgeries of this sort have serious spelling and syntax errors, although the quality
of unauthentic emails has improved significantly.
• Attackers using fake email know most people will spot the forgery.
• On the other hand, it costs next to nothing to send 100,000 messages, and even if
the response rate is only 0.1%, that is still 100 potential victims.

Thank you


Web, Cloud IOT Security - Compressed

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Web, Cloud IOT Security - Compressed

Uploaded by

Copyright:

Available Formats

Security

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

issues descriptions countermeasures

WEB, CLOUD & IOT SECURITY Team

issues descriptions countermeasures

WEB, CLOUD & IOT SECURITY Team

issues descriptions countermeasures

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

Open-source software project of the OpenStack Foundation that aims to produce an

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

The IoT involves embedded computing

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

It is potentially a graver threat

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

• MiniSec is an open-source security module that is part of the TinyOS

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

• Security issues for browsers, arise

WEB, CLOUD & IOT SECURITY Team

• Popular browsers support add-ons,

• Data display involves a rich command

WEB, CLOUD & IOT SECURITY Team

• The browser can access any data on a

• Data transfers to and from the user are

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

• The central failure of these in-the-middle attacks is faulty authentication.

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team

• To a user (client) it seems as if interaction with a server is a direct link, so it is easy

WEB, CLOUD & IOT SECURITY Team

Victim Hacker /Attacker

WEB, CLOUD & IOT SECURITY Team

• A very common vulnerability found in Web Applications

WEB, CLOUD & IOT SECURITY Team

• reflected XSS (non-persistent): script is executed on the victim side

WEB, CLOUD & IOT SECURITY Team

WEB, CLOUD & IOT SECURITY Team