Software is everywhere, and it needs to be secure. Security can be hard to achieve, but many methodologies for securing systems exist today. All try to answer the same fundamental set of questions.
- What is being protected?
- Are there any known threats and vulnerabilities?
- What are the impacts to the organization if the data is lost or leaked?
- What is the value of the data to the organization?
- What can be done to mitigate the risks?
Asset, threat, vulnerability, and exploit are the most commonly-used terms in the cyber security lingo. Depending on the literature some of these terms overlap and are sometimes used synonymously.
- An asset is what is being protected, something that has some value to its owner. Its value can be tangible (e.g. gold or a running server) or intangible (data)
- A threat is an intention to cause damage. For cyber security this can be defined as a hostile act aimed by an attacker at an asset. Regardless of the attacker's intent to do no harm, a threat is still a threat. The attacker posing a threat is commonly called a threat actor.
- A vulnerability is a defect in the target system. This defect may be a bug in application code, or a flaw in the design of the system. A vulnerabilities can also be a consequence of improper configuration or user action.
- An exploit is a way to take advantage of a known vulnerability. The usual objective is to take control over the asset. (Social engineering, commonly considered a simple scam, is one kind of exploit.)
What is Cyber Security and Why Should We Care About it?
Software is literally everywhere. Initially software resided on mainframes and only few people were in contact with it. Somewhat later the personal computer was invented and thanks to its popularity, software moved to the home. (That said, in the home software was still restricted and an attacker would need physical access to the target.)
One day the Internet spawned and began globally connecting personal computers. This made it easier for attackers as they no longer needed to physically visit targets. (Lest we forget, the Internet is incredibly useful to non-attackers as well.) The evolution of computers kept rolling on and one day we were introduced to cellular phones and eventually smart phones, which are basically small scale computers with wireless connectivity.
Currently we are on the brink of Internet of things, which promises to connect every device to the Internet. For example, we have smart TVs, smart locks, smart cars, and smart toasters. The software ranges from large, such as the operating system, to small, such as the USB driver.
There is going to be an explosion in the number of devices needing software. It has been said that by the year 2020 there will be 50 billion connections and devices. This poses a growing need for code and software developers, who will have great pressure to write both functional and secure code in a limited timeframe. Developers may face unrealistic time pressure to rush code to production.
In addition to the growing need for more code, the code base has gotten more complex. Every machine is connected and larger systems are now distributed. Different parts of the systems may be developed by different vendors, but need to interoperate. Moreover, most current systems are based on software frameworks which enlarge the code footprint of even small applications, and/or are extensible with/via plugins and addons.
Combining the connectivity, complexity, and extensibility, we get a comfortably-sized attack surface for the attacker. It is perhaps not surprising, therefore, that the number of vulnerabilities in software has steadily risen over the years. Vulnerabilities and their statistics can be queried from the National Vulnerability Database and from the Common Vulnerability and Exposure database (NVD statistics query page and CVE).
For the attackers the attacking will stay easier than defending as long as the former can attack anywhere and the latter have to defend everywhere. With a successful security analysis, however, many of the obvious vulnerabilities--in other words, the low hanging fruit--can be found. (This doesn't necessarily make a system secure, but rather that it should be able to withstand compromise attempts by unskilled hackers and automated attacks.)
The world is changing and cyber security is a rapidly-growing global issue. Adversaries come in many shapes and sizes, ranging from script kiddies to foreign governments to organized crime. Regardless of the adversary, all have easy access to very sophisticated and powerful technologies. Moreover, some attacks are so sneaky that they become evident only after a hack has happened.
Attacks can result in much mayhem and harm with significant monetary losses, but the business impact of a security breach can be difficult to tell. This is an area where it is hard to reach definitive and representative figures or findings. At least one study, however, from Oxford Economics, provides a set of findings based on surveys and case studies. Those findings show that cyber attacks do indeed result in major business impact on victims.
The job of a vulnerability researcher is to come up with recommendations for minimizing the risk to an organization. The tasks of protecting enterprise systems and data include establishing policies, practices and tools that lower the risk of illicit behaviour. The technical security assessments performed by vulnerability researchers include the identification of vulnerabilities, misconfigurations, and weaknesses.
Media Reports only the Tip of the Iceberg
Security-related news has become more and more common. Media reports about breaches are no longer minor items buried in miscellaneous news, but instead are prominent front-page material. Everything, from baby monitors to security cameras, from cars to luxury yachts, has been targeted and hacked. The threats news agencies talk about have become more complex and more professional. Stolen password lists have become sought-after merchandise and news about targeted ransomware attacks have been seen at an unprecedented rate. This reveals the grim truth that our lives online, and by extension our lives offline, have become an easy way for criminals to make money, and that this threat affects all industries, countries, and social spaces.
Although the media is beginning to take breach news seriously, and studies such as the Crime Survey of England and Wales from the Office of National Statistics show that the frequency of incidents is increasing, it is still commonly believed that cyber crime is an underreported area of illegality.
The above conveys a bleak picture of the current state of things. At the same time, however, governments, organizations, corporations and institutions are funnelling more and more money, research and effort into improving the situation.
Cyber Security Is Not Only A Tech Problem
The news of security breaches is full of reports of hackers using their own radio setups to wreak havoc, such as the misdirection of yachts or the reprogramming of the firmware of an USB device to hide malicious code. News reports have a tendency to sound technical when trying to explain the root cause of an exploited vulnerability. Security is multidisciplinary, however, in the sense that effective security comes from understanding the vulnerabilities that may come either from the physical environment, the technology, or from the human element in the mix. Threats from the physical environment may include fires, natural disasters, theft of computing resources, or exposed cables. Technical threats are what this course considers in more detail, but it bears remembering that there is a strong human element in cyber security. The best security safeguards in the world count for very little in the following situations:
- An bank employee accidentally emails out a file of bank details to a wrong address.
- A corporate employee copies a set of sensitive documents to a memory stick which is then stolen.
- A company-supplied portable devices such as a phone, laptop, or tablet has sensitive data on it, and is stolen, or accidentally left behind in a public place by the employee to whom it is assigned. (It is surprisingly common for people to forget laptops on planes, in coffeehouses, etc. Encrypting devices and enforcing a policy of hard-to-crack passwords goes a long way towards protecting against data theft in such circumstances, but strong passwords are hard for humans to remember.)
- Company staff use their private email addresses--which may or may not be protected--for corporate communication.
- Staff receive attachments that are dubious and open them, or visit a dangerous website and are the target of a drive-by download of a malicious piece of code.
- Staff discuss a work-related matter in social media, or publish a photo of the workplace, which then leaks to the wrong people due to improper privacy settings.
- ...all of the above by a very disgruntled employee doing it on purpose.
It is evident, from the list above, that human actions in the office are potential threats, but threats that can be mitigated by educating staff and providing knowledge about correct cyber security procedures. Care must be taken in communicating proper procedures as the audience is broad and may or may not be technically aware.
In short, cyber security is everyone's business. Designers and implementers build systems that have no holes (well, as few as possible), operations staff build and maintain secure networks, administrators keep systems properly updated and configured, users should prefer secure software, and executives should make early investments in security.
Responsibilities and Liabilities
This course will not delve deeply into the law, but note that companies and corporations have responsibilities and liabilities for the data they gather. Most have made a commitment, whether legally enforceable or not, to treat data gathered with the utmost care. In addition, laws and regulations govern the way these entities must secure their data and dictate the correct procedure to follow after a breach has occurred.
For example, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) intends to unify and simplify the regulations for data protection within the European Union. The GDPR is meant to replace the current directive in this area, and has as its main objective giving people control over their personal data. Furthermore, the regulation covers matters such as the export of personal data outside of the EU, sanctions for non-compliant parties, the right to erasure, and data breach reporting procedure. This regulation comes into force on the 25th of May, 2018.
The GDPR provides the first economical grounds for data protection: just as environmental regulations have internalized the cost of environmental damage to production, we may see the same happening with data protection. Insurance companies have also noticed the impending GDPR and have introduced various types of cyber security insurance which would cover some costs caused by a breach (for example a loss of profit).
However, the law is for the law abiding; for a criminal it is just a deterrent. The Internet provides anonymity and distances the attacker from the victim, making it easier to step into the world of crime via the Internet. The commission of crimes via the Internet is commonly known as hacking. (When discussing hacking we do have to mention ethical hacking. An ethical hacker, like his criminal counterpart, is an expert who tries to penetrate a computer system, but the former does it with permission from the system owner in order to reveal security vulnerabilities that malicious actors could potentially exploit.)
STRIDE and DREAD
When beginning development of a new application, there are few factors that should immediately be considered. From the point of view of this course series, we naturally take the stance that security is the biggest one. It is essential to apply some kind of threat modelling in the design phase. If not, the application may have serious flaws or the effort to maintain security is wasted on the wrong part of the application. In the process of threat modelling one examines the application and deconstructs it to smaller parts--features and modules--that do a certain thing. From these parts threats are identified and from these threats the vulnerabilities. This process can continue, with each of part being further deconstructed to even smaller parts.
Threats can be revealed by a variety of actors. For example, an ordinary user may stumble on a flaw in an application; a script kiddie running automated tools may discover a flaw; or a truly motivated attacker may find a flaw in the application through manual analysis. A threat's impact on an application might include unauthorized access being granted due to authorization failure, the browser cache being poisoned with malicious data, or private data being revealed via eavesdropping.
To simplify modelling, multiple ways exist of classifying threats. Two examples are the STRIDE and DREAD checklists. Neither one is exhaustive, but both provide good structures for determining the type of a given threat.
The STRIDE Threat Model
The STRIDE Threat Model is a useful checklist of questions that can help in the threat-modelling of an application. 'STRIDE' is an acronym for the following threat categories: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. Spoofing covers cases where someone is illegally accessing a system using another user’s authentication information. Tampering covers cases such as unauthorized changes made to persistent data, whether inside a machine or in the transport. Repudiation specifies that a system should be able to trace user operations to provide evidence of what has happened in case of a breach. Information Disclosure covers the exposure of information to unauthorized individuals. (This category of threat can also occur within a machine or during transport.) Denial of Service refers to cases where the server or service is made temporarily unavailable. Lastly, Elevation of Privilege is a threat type in which an unprivileged user finds a way to gain sufficient privileges to compromise the system.
The DREAD risk assessment model
DREAD is a mnemonic checklist for prioritizing threats based on their severity, and stands for Damage, Reproducibility, Exploitability, Affected Users, and Discoverability, all of which are fairly self-explanatory. (There has been a fair amount of discussion concerning Discoverability, and whether encouraging security professionals to minimize discoverability would in turn favor the deprecated approach of security through obscurity.) A scale from 0-10 is usually used in all categories, save for discoverability which is commonly set to 10 on the grounds that any threat will eventually be discovered.
Read and reflect
Read the following article and answer the following question: "Do you find mnemonic lists meaningful or not?" Justify your opinion in about 300 words.
- Iván Arce, Kathleen Clark-Fisher, Neil Daswani, Jim DelGrosso, Danny Dhillon, Christoph Kern, Tadayoshi Kohno, Carl Landwehr, Gary McGraw, Brook Schoenfield, Margo Seltzer, Diomidis Spinellis, Izar Tarandach, and Jacob West, AVOIDING THE TOP 10 SOFTWARE SECURITY DESIGN FLAWS https://www.computer.org/cms/CYBSI/docs/Top-10-Flaws.pdf