Unit 5

Security
SECURITY VULNERABILITY AND RISK
Threat and vulnerability

VULNREBILITY

ASSETS CONTROL THREAT

 Vulnerability

 Vulnerability refers to a weakness in your hardware, software, or procedures.

 It’s a gap through which a bad actor can gain access to your assets.
 In other words, threats exploit vulnerabilities. 
 Common Vulnerability and Exposure (CVE) list aims to provide common names
and identifiers for all publicly known software vulnerabilities.

Hacking Banks For Money -

https://www.youtube.com/watch?v=uaqK8ocxDco
CVE report

Name: CVE-1999-0002
Status: Entry
Reference: BID:121
Reference: URL:http://www.securityfocus.com/bid/121
Reference: CERT:CA-98.12.mountd
Reference: CIAC:J-006
Reference: URL:http://www.ciac.org/ciac/bulletins/j-006.shtml
Reference: SGI:19981006-01-I
Reference:
URL:ftp://patches.sgi.com/support/free/security/advisories/19981
006-01-I
Reference: XF:linux-mountd-bo
 Buffer overflow in NFS mountd gives root access to remote
attackers, mostly in Linux systems.
Common Vulnerability Scoring System

 CVSS–Common Vulnerability Scoring System

 –A system to translate the characteristics and impacts of a vulnerability into a numerical
score
 –Interactive calculator is at https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator
 •The Apache Struts vulnerability in 2017 scored a perfect 10
Software vulnerability
 an error in the specification, development or configuration of
software such that its execution can violate the security policy
 Lack of input validation
 -The input validation vulnerability refers to a situation where user input is used
in the software without confirming its validity
 query = "SELECT * FROM items WHERE itemname = '" + ItemName.Text + "'";
 // expected user input for ItemName: pencil;// actual user input for ItemName: pencil OR 'a'='a';
 // query result is:
 SELECT * FROM items WHERE itemname = pencils OR 'a'='a';
 // which translates to:
 SELECT * FROM items;
Software vulnerability

 Unrestricted upload
 The unrestricted uploads vulnerability occurs when files are accepted by software
without verifying that the fi le follows strict specifications .
 It is possible for an attacker to upload software programs to the site instead of
images
 Cross-site Scripting
 occurs when user-supplied input is used without verifi cation as part of the output
served to other users
Software vulnerability

 Buffer overflow
 refers to the situation where a program puts more data into a storage location than it can hold
 Missing Authorization
 happens when a software program allows users access to privileged parts of the program
without verifying the credentials of the user.
 Unencrypted data
 occurs when sensitive data is stored locally or transmitted over a network without proper
encryption
Procedural vulnerability

 Weakness in organization’s operation methods, which can be exploited to security

policy
 Password procedures
 passwords may not provide adequate security if the organization is not careful about
its password procedures
 Training procedures
 organizations must make very clear to their staff that they will never send any
unsolicited email to users, asking them for their password or other credentials
Minimal security training procedures

 Organizations must maintain a policy of never asking employees for sensitive

information such as usernames or passwords in an unsolicited email or phone
call.
 Employees at all levels of the organization must know this policy.
 Employees should know that they can safely trash such emails no matter what
the source and no matter what the situation are.
Activity

 Let make a strong password

 Use 4 Dice and choose your word from eff-
short_wordlist_1.txt file
 You can use 3 or 4 word
 Remember longer is stronger
 Use number and special characters

 The best password to use is one that you can’t remember

 •People gave away their passwords for a pen (social
engineering)

https://www.youtube.com/watch?v=opRMrEfAIiI
Information security
Business survival depends on information security.

 The architecture where an integrated combination of appliances, systems

and solutions, software, alarms, and vulnerability scans working together
 Monitored 24x7
 Having People, Processes, Technology, policies, procedures,
 Security is for PPT and not only for appliances or Devices
1. Protects information from a range of threats
2. Ensures business continuity
3. Minimizes financial loss
4. Optimizes return on investments
5. Increases business opportunities
 PEOPLE

PROCESSES

TECHNOLOGY
People (Who we are)

People who use or interact with the Information

include:
 Share Holders / Owners
 Management
 Employees
 Business Partners
 Service providers
 Contractors
 Customers / Clients
 Regulators etc…
 Process (what we do)
The processes refer to "work practices" or workflow. Processes are the repeatable steps
to accomplish business objectives. Typical process in our IT Infrastructure could include:
Helpdesk / Service management
Incident Reporting and Management
Change Requests process

Request fulfillment
Access management
Identitymanagement
Service Level / Third-party Services Management
IT procurement process etc...
Technology (What we use to improved
what we do)
Network Infrastructure:
 Cabling, Data/Voice Networks and equipment
 Telecommunications services (PABX), including VoIP services , ISDN ,
Video Conferencing
 Server computers and associated storage devices
 Operating software for server computers
 Communications equipment and related hardware.
 Intranet and Internet connections
 VPNs and Virtual environments
 Remote access services
 Wireless connectivity
Technology (What we use to improved
what we do)
Application software:
 Finance and assets systems, including Accounting packages, Inventory
management, HR systems, Assessment and reporting systems
 Software as a service (Sass) - instead of software as a packaged or custom-
made product. Etc..
Physical Security components:
 CCTV Cameras
 Clock in systems / Biometrics
 Environmental management Systems: Humidity Control, Ventilation , Air
Conditioning, Fire Control systems
 Electricity / Power backup
Technology (What we use to improved
what we do)
Access devices:
 Desktop computers
 Laptops, ultra-mobile laptops and PDAs Thin client computing.
 Digital cameras, Printers, Scanners, Photocopier etc.
Organizational security

 A sustained, appropriate level of security in team communication and information

management
 Establish the minimum administrative, technical, and physical safeguards that will
be utilized by organization to protect sensitive information from unauthorized
access, disclosure, corruption, or destruction.
Security breaches leads to…
• Reputation loss
• Financial loss
• Intellectual property loss
• Legislative Breaches leading to legal actions (Cyber
Law)
• Loss of customer confidence
• Business interruption costs

LOSS OF GOODWILL
• Information Security is “Organizational Problem” rather
than “IT Problem”
• More than 70% of Threats are Internal

• More than 60% culprits are First Time fraudsters

• Biggest Risk : People

• Biggest Asset : People

• Social Engineering is major threat

• More than 2/3rd express their inability to determine
―Whether my systems are currently compromised?‖
Business continuance

 Flood.
 Cyber attack.
 Supply chain failure or losing a key employee.
 Disruptions to your business can happen at any moment.
 Business continuity is about having a plan to deal with difficult situations, so your
organization can continue to function with as little disruption as possible.
 Whether it’s a business, public sector organization, or charity, you need to know
how you can keep going under any circumstances.
Group Discussion

 discuss key aspects of

organizational security
 Group 1
 Group 2
 Group 3
 15 minutes for preparation
 5 minutes discussion for each
group