Unit 1 Notes Revision.pdftttttttttttttttttttt
sriram37357
8 views
52 slides
Sep 14, 2025
Slide 1 of 52
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
About This Presentation
-
Slide Content
-Saravana Kumar R
UNIT 1.1. –COMPUTER SECURITY, THREATS,
VULNERABILITIES AND CONTROLS
UNIT 1.1. –COMPUTER SECURITY, THREATS,
VULNERABILITIES AND CONTROLS
Agenda
1.Introduction to Computer Security
2.Threats in Computer Security
3.Harm
4.Vulnerabilities in Computer Security
5.Controls in Computer Security
6.Conclusion
Q&A
1.Introduction to Computer Security
2.Threats in Computer Security
3.Harm
4.Vulnerabilities in Computer Security
5.Controls in Computer Security
6.Conclusion
Q&A
1. Introduction to Computer Security
WhatIsComputerSecurity?
ComputerSecurityinvolvesprotectingcomputersystems,networks,anddatafromunauthorizedaccess,damage,or
disruption.Itaimstoensuretheconfidentiality,integrity,andavailability(CIAtriad)ofinformationandresources.
ValuesofAssets
AssetsinComputerSecurityincludehardware,software,data,andservices.
Valuation:
Assetsarevaluedbasedontheirimportancetotheorganization,costofreplacement,andpotentialimpactofloss.
TangibleAssets:Hardware,infrastructure(e.g.,servers,laptops).
IntangibleAssets:Data,intellectualproperty,reputation.
Example:Acompany’scustomerdatabaseisvaluableduetoitssensitivityandbusinessimpactifcompromised.
ValuationMethods:
Cost-Based:Replacementoracquisitioncost.
Market-Based:Valuebasedonmarketdemandorrevenuegeneration.
Impact-Based:Potentialloss(financial,operational,reputational)ifcompromised.
WhatIsComputerSecurity?
ComputerSecurityinvolvesprotectingcomputersystems,networks,anddatafromunauthorizedaccess,damage,or
disruption.Itaimstoensuretheconfidentiality,integrity,andavailability(CIAtriad)ofinformationandresources.
ValuesofAssets
AssetsinComputerSecurityincludehardware,software,data,andservices.
Valuation:
Assetsarevaluedbasedontheirimportancetotheorganization,costofreplacement,andpotentialimpactofloss.
TangibleAssets:Hardware,infrastructure(e.g.,servers,laptops).
IntangibleAssets:Data,intellectualproperty,reputation.
Example:Acompany’scustomerdatabaseisvaluableduetoitssensitivityandbusinessimpactifcompromised.
ValuationMethods:
Cost-Based:Replacementoracquisitioncost.
Market-Based:Valuebasedonmarketdemandorrevenuegeneration.
Impact-Based:Potentialloss(financial,operational,reputational)ifcompromised.
1. Introduction to Computer Security
TheVulnerability–Threat–ControlParadigm
Vulnerability:
Aweaknessinasystemthatcanbeexploited(e.g.,outdatedsoftware).
Threat:
Apotentialdangerthatexploitsavulnerability(e.g.,malwareattack).
Control:
Measurestomitigateoreliminaterisks(e.g.,firewalls,patches).
Paradigm:
Identifyvulnerabilities,assessthreats,andapplycontrolstoprotectassets.
Example:Aweakpassword(vulnerability)canbeexploitedbybrute-forceattacks(threat),mitigatedbyenforcingstrong
passwordpolicies(control).
TheVulnerability–Threat–ControlParadigm
Vulnerability:
Aweaknessinasystemthatcanbeexploited(e.g.,outdatedsoftware).
Threat:
Apotentialdangerthatexploitsavulnerability(e.g.,malwareattack).
Control:
Measurestomitigateoreliminaterisks(e.g.,firewalls,patches).
Paradigm:
Identifyvulnerabilities,assessthreats,andapplycontrolstoprotectassets.
Example:Aweakpassword(vulnerability)canbeexploitedbybrute-forceattacks(threat),mitigatedbyenforcingstrong
passwordpolicies(control).
2. Threats
Threatsarepotentialeventsoractionsthatcancauseharmtoasystemordata.TheytargettheCIAtriad:
Confidentiality
Ensuresdataisaccessibleonlytoauthorizedusers.
Threats:Eavesdropping,databreaches,unauthorizedaccess.
Example:Ahackerinterceptingsensitiveemailsviolatesconfidentiality.
Integrity
Ensuresdataaccuracyandtrustworthiness,preventingunauthorizedmodifications.
Threats:Datatampering,malwarealteringfiles,man-in-the-middleattacks.
Example:Alteringfinancialrecordstoshowfalsetransactionscompromisesintegrity.
Availability
Ensuressystemsanddataareaccessibletoauthorizeduserswhenneeded.
Threats:Denial-of-Service(DoS)attacks,ransomware,hardwarefailures.
Example:ADoSattackoverwhelmingawebsitepreventsuseraccess.
Threatsarepotentialeventsoractionsthatcancauseharmtoasystemordata.TheytargettheCIAtriad:
Confidentiality
Ensuresdataisaccessibleonlytoauthorizedusers.
Threats:Eavesdropping,databreaches,unauthorizedaccess.
Example:Ahackerinterceptingsensitiveemailsviolatesconfidentiality.
Integrity
Ensuresdataaccuracyandtrustworthiness,preventingunauthorizedmodifications.
Threats:Datatampering,malwarealteringfiles,man-in-the-middleattacks.
Example:Alteringfinancialrecordstoshowfalsetransactionscompromisesintegrity.
Availability
Ensuressystemsanddataareaccessibletoauthorizeduserswhenneeded.
Threats:Denial-of-Service(DoS)attacks,ransomware,hardwarefailures.
Example:ADoSattackoverwhelmingawebsitepreventsuseraccess.
2. Threats
TypesofThreats
NaturalThreats:Floods,earthquakes,poweroutages.
HumanThreats:Hacking,insiderthreats,socialengineering.
AccidentalThreats:Humanerrors,softwarebugs.
MaliciousThreats:Malware,phishing,SQLinjection.
PhysicalThreats:Theft,vandalism,fire.
LogicalThreats:Exploits,viruses,unauthorizedaccess.
TypesofAttackers
Hackers:Exploitsystemsforchallenge,profit,oractivism(e.g.,blackhat,whitehat,greyhat).
Insiders:Employeesortrustedindividualsabusingaccess(e.g.,disgruntledemployees).
Cybercriminals:Seekfinancialgainthroughransomware,phishing,etc.
Nation-StateActors:Government-sponsoredattackerstargetingcriticalinfrastructure.
ScriptKiddies:Inexperiencedattackersusingpre-writtentools.
Hacktivists:Attackforpoliticalorsocialcauses(e.g.,Anonymous).
Note:
BlackHathackersexploitvulnerabilitiesformaliciouspurposes,personalgain,ortocauseharm.
WhiteHatHackersareethicalsecurityexpertswhohelporganizationsidentify&fixvulnerabilitiestoimprovesecurity.
GreyHatHackersoperateinamiddleground,oftenidentifyingvulnerabilitieswithoutpermission,butwiththe
intentionofimprovingsecurity.
TypesofThreats
NaturalThreats:Floods,earthquakes,poweroutages.
HumanThreats:Hacking,insiderthreats,socialengineering.
AccidentalThreats:Humanerrors,softwarebugs.
MaliciousThreats:Malware,phishing,SQLinjection.
PhysicalThreats:Theft,vandalism,fire.
LogicalThreats:Exploits,viruses,unauthorizedaccess.
TypesofAttackers
Hackers:Exploitsystemsforchallenge,profit,oractivism(e.g.,blackhat,whitehat,greyhat).
Insiders:Employeesortrustedindividualsabusingaccess(e.g.,disgruntledemployees).
Cybercriminals:Seekfinancialgainthroughransomware,phishing,etc.
Nation-StateActors:Government-sponsoredattackerstargetingcriticalinfrastructure.
ScriptKiddies:Inexperiencedattackersusingpre-writtentools.
Hacktivists:Attackforpoliticalorsocialcauses(e.g.,Anonymous).
Note:
BlackHathackersexploitvulnerabilitiesformaliciouspurposes,personalgain,ortocauseharm.
WhiteHatHackersareethicalsecurityexpertswhohelporganizationsidentify&fixvulnerabilitiestoimprovesecurity.
GreyHatHackersoperateinamiddleground,oftenidentifyingvulnerabilitieswithoutpermission,butwiththe
intentionofimprovingsecurity.
3. Harm
Harmisthenegativeimpactcausedbyasuccessfulthreatexploitingavulnerability.
TypesofHarm:
FinancialLoss:Costsfromdatabreaches,ransomwarepayments.
ReputationalDamage:Lossofcustomertrustorbrandvalue.
OperationalDisruption:Downtime,lossofproductivity.
Legal/RegulatoryPenalties:Finesfornon-compliance(e.g.,GDPRviolations).
Example:Adatabreachexposingcustomerdataleadstofinancialpenaltiesandlossoftrust.
RiskandCommonSense
RiskDef:Thelikelihoodandimpactofathreatexploitingavulnerability.
RiskAssessment:
Identifyassetsandtheirvalue.
Identifyvulnerabilitiesandpotentialthreats.
Estimatelikelihoodandimpact.
Applycontrolstomitigaterisks.
CommonSense:Intuitiveapproacheslikeregularbackups,strongpasswords,andemployeetrainingreducerisks.
Example:Regularlyupdatingsoftwarereducestheriskofknownexploits.
Harmisthenegativeimpactcausedbyasuccessfulthreatexploitingavulnerability.
TypesofHarm:
FinancialLoss:Costsfromdatabreaches,ransomwarepayments.
ReputationalDamage:Lossofcustomertrustorbrandvalue.
OperationalDisruption:Downtime,lossofproductivity.
Legal/RegulatoryPenalties:Finesfornon-compliance(e.g.,GDPRviolations).
Example:Adatabreachexposingcustomerdataleadstofinancialpenaltiesandlossoftrust.
RiskandCommonSense
RiskDef:Thelikelihoodandimpactofathreatexploitingavulnerability.
RiskAssessment:
Identifyassetsandtheirvalue.
Identifyvulnerabilitiesandpotentialthreats.
Estimatelikelihoodandimpact.
Applycontrolstomitigaterisks.
CommonSense:Intuitiveapproacheslikeregularbackups,strongpasswords,andemployeetrainingreducerisks.
Example:Regularlyupdatingsoftwarereducestheriskofknownexploits.
3. Harm
Method–Opportunity–Motive(MOM)
Method:
Thetechniqueortoolusedtoexploitavulnerability(e.g.,phishingemail).
Opportunity:
Thechanceoraccesstocarryouttheattack(e.g.,unpatchedsystem).
Motive:
Thereasonfortheattack(e.g.,financialgain,revenge).
Example:Acybercriminal(motive:profit)usesaphishingemail(method)toexploitanunpatchedemailserver
(opportunity).
Method–Opportunity–Motive(MOM)
Method:
Thetechniqueortoolusedtoexploitavulnerability(e.g.,phishingemail).
Opportunity:
Thechanceoraccesstocarryouttheattack(e.g.,unpatchedsystem).
Motive:
Thereasonfortheattack(e.g.,financialgain,revenge).
Example:Acybercriminal(motive:profit)usesaphishingemail(method)toexploitanunpatchedemailserver
(opportunity).
4. Vulnerabilities
Vulnerabilitiesareweaknessesinasystemthatthreatscanexploit.
Types:
SoftwareVulnerabilities:Bugs,unpatchedsystems(e.g.,bufferoverflows).
HardwareVulnerabilities:Faultydevices,physicalaccessissues.
HumanVulnerabilities:Poortraining,socialengineeringsusceptibility.
ConfigurationVulnerabilities:Weakpasswords,openports.
Example:AnunpatchedoperatingsystemisvulnerabletoknownexploitslikeWannaCryransomware.
Mitigation:Regularupdates,secureconfigurations,employeeawareness.
Vulnerabilitiesareweaknessesinasystemthatthreatscanexploit.
Types:
SoftwareVulnerabilities:Bugs,unpatchedsystems(e.g.,bufferoverflows).
HardwareVulnerabilities:Faultydevices,physicalaccessissues.
HumanVulnerabilities:Poortraining,socialengineeringsusceptibility.
ConfigurationVulnerabilities:Weakpasswords,openports.
Example:AnunpatchedoperatingsystemisvulnerabletoknownexploitslikeWannaCryransomware.
Mitigation:Regularupdates,secureconfigurations,employeeawareness.
5. Controls
Controlsarecountermeasurestoreducerisksbyaddressingvulnerabilitiesormitigatingthreats.
Types:
PreventiveControls:Stopattacks(e.g.,firewalls,encryption).
DetectiveControls:Identifyattacks(e.g.,intrusiondetectionsystems,logs).
CorrectiveControls:Recoverfromattacks(e.g.,backups,incidentresponse).
AdministrativeControls:Policies,training,audits.
TechnicalControls:Software/hardwaresolutions(e.g.,antivirus,accesscontrols).
PhysicalControls:Locks,securityguards,biometricscanners.
Example:Afirewall(preventive)blocksunauthorizedaccess,whilelogs(detective)trackintrusionattempts.
Controlsarecountermeasurestoreducerisksbyaddressingvulnerabilitiesormitigatingthreats.
Types:
PreventiveControls:Stopattacks(e.g.,firewalls,encryption).
DetectiveControls:Identifyattacks(e.g.,intrusiondetectionsystems,logs).
CorrectiveControls:Recoverfromattacks(e.g.,backups,incidentresponse).
AdministrativeControls:Policies,training,audits.
TechnicalControls:Software/hardwaresolutions(e.g.,antivirus,accesscontrols).
PhysicalControls:Locks,securityguards,biometricscanners.
Example:Afirewall(preventive)blocksunauthorizedaccess,whilelogs(detective)trackintrusionattempts.
6. Conclusion
Computersecurityisacontinuousprocessofidentifyingandvaluingassets,assessingvulnerabilitiesandthreats,and
implementingcontrolstoprotecttheCIAtriad.
Understandingattackers’methods,opportunities,andmotiveshelpsdesigneffectivedefenses.
Regularupdates,riskassessments,andalayeredsecurityapproacharecriticaltominimizingharm.
Computersecurityisacontinuousprocessofidentifyingandvaluingassets,assessingvulnerabilitiesandthreats,and
implementingcontrolstoprotecttheCIAtriad.
Understandingattackers’methods,opportunities,andmotiveshelpsdesigneffectivedefenses.
Regularupdates,riskassessments,andalayeredsecurityapproacharecriticaltominimizingharm.
Controls in Computer Security -Summary
Q & A
Thank You
-Saravana Kumar R
UNIT 1.2. –COMPUTER SECURITY
-AUTHENTICATION, ACCESS CONTROL,
CRYPTOGRAPHY
UNIT 1.2. –COMPUTER SECURITY
-AUTHENTICATION, ACCESS CONTROL,
CRYPTOGRAPHY
Agenda
1.Authentication
2.Access Control
3.Cryptography
4.Conclusion
Q&A
1.Authentication
2.Access Control
3.Cryptography
4.Conclusion
Q&A
1. Authentication
Def:Authenticationistheprocessofverifyingtheidentityofauser,process,ordevice.
Itanswersthequestion,"Areyouwhoyouclaimtobe?"Thisisdistinctfromidentification,whichissimplystatingwho
youare.IdentificationVsAuthentication
Identification:Theactofassertinganidentity.Forexample,typingausernameintoaloginscreen.
Authentication:Theactofprovingthattheassertedidentityisgenuine.Thisiswherecredentialsareprovidedand
verifiedagainstaknownsetofauthenticidentities.
AuthenticationBasedonPhrasesandFacts:SomethingYouKnow
AuthenticationBasedonBiometrics:SomethingYouAre
AuthenticationBasedonTokens:SomethingYouHave
Def:Authenticationistheprocessofverifyingtheidentityofauser,process,ordevice.
Itanswersthequestion,"Areyouwhoyouclaimtobe?"Thisisdistinctfromidentification,whichissimplystatingwho
youare.IdentificationVsAuthentication
Identification:Theactofassertinganidentity.Forexample,typingausernameintoaloginscreen.
Authentication:Theactofprovingthattheassertedidentityisgenuine.Thisiswherecredentialsareprovidedand
verifiedagainstaknownsetofauthenticidentities.
AuthenticationBasedonPhrasesandFacts:SomethingYouKnow
AuthenticationBasedonBiometrics:SomethingYouAre
AuthenticationBasedonTokens:SomethingYouHave
1. Authentication
AuthenticationBasedonPhrasesandFacts:SomethingYouKnow
Reliesonknowledgeonlythelegitimateusershouldpossess.
Examples:Passwords,PINs,securityquestions.
Advantages:Easytoimplement,lowcost.
Disadvantages:Vulnerabletophishing,forgetting,orguessing.
BestPractices:Usestrongpasswords(mixofletters,numbers,symbols),avoidreuse,andenableaccountlockoutafter
failedattempts.
AuthenticationBasedonBiometrics:SomethingYouAre
Usesuniquephysicalorbehavioraltraits.
Examples:Fingerprintscans,facialrecognition,irisscans,voicerecognition.
Advantages:Hardtoreplicate,convenient.
Disadvantages:Privacyconcerns,highcost,potentialforfalsepositives/negatives.
Applications:Smartphones,securefacilities.
AuthenticationBasedonTokens:SomethingYouHave
Involvesphysicalordigitalobjectspossessedbytheuser.
Examples:Smartcards,USBtokens,one-timepassword(OTP)devices.
Advantages:Addsaphysicallayerofsecurity.
Disadvantages:Canbelost,stolen,orduplicated.
Example:Bank-issuedOTPtokensforonlinetransactions.
AuthenticationBasedonPhrasesandFacts:SomethingYouKnow
Reliesonknowledgeonlythelegitimateusershouldpossess.
Examples:Passwords,PINs,securityquestions.
Advantages:Easytoimplement,lowcost.
Disadvantages:Vulnerabletophishing,forgetting,orguessing.
BestPractices:Usestrongpasswords(mixofletters,numbers,symbols),avoidreuse,andenableaccountlockoutafter
failedattempts.
AuthenticationBasedonBiometrics:SomethingYouAre
Usesuniquephysicalorbehavioraltraits.
Examples:Fingerprintscans,facialrecognition,irisscans,voicerecognition.
Advantages:Hardtoreplicate,convenient.
Disadvantages:Privacyconcerns,highcost,potentialforfalsepositives/negatives.
Applications:Smartphones,securefacilities.
AuthenticationBasedonTokens:SomethingYouHave
Involvesphysicalordigitalobjectspossessedbytheuser.
Examples:Smartcards,USBtokens,one-timepassword(OTP)devices.
Advantages:Addsaphysicallayerofsecurity.
Disadvantages:Canbelost,stolen,orduplicated.
Example:Bank-issuedOTPtokensforonlinetransactions.
1. Authentication
FederatedIdentityManagement
Allowsuserstoaccessmultiplesystemsororganizationsusingasinglesetofcredentials.
Mechanism:Atrustedidentityprovider(IdP)authenticatesusersandsharesidentitydatawithserviceproviders(SPs).
Examples:SingleSign-On(SSO),OAuth,OpenIDConnect.
Advantages:Simplifiesuserexperience,reducescredentialmanagement.
Challenges:RequirestrustintheIdP,potentialsinglepointoffailure.
MultifactorAuthentication(MFA)
Combinestwoormoreauthenticationfactors(somethingyouknow,have,orare).
Example:Password(knowledge)+OTPfromamobileapp(possession).
Advantages:Significantlyenhancessecuritybyrequiringmultipleproofs.
Applications:Banking,corporatenetworks,cloudservices.
SecureAuthentication
Involvesprotocolsandpracticestoprotectauthenticationprocesses.
Techniques:Encryptedcommunication(e.g.,TLS),securestorageofcredentials(e.g.,hashingpasswordswithbcrypt),
andtime-basedOTPs.
Challenges:Balancingsecuritywithusability,mitigatingattackslikeman-in-the-middle(MITM).
FederatedIdentityManagement
Allowsuserstoaccessmultiplesystemsororganizationsusingasinglesetofcredentials.
Mechanism:Atrustedidentityprovider(IdP)authenticatesusersandsharesidentitydatawithserviceproviders(SPs).
Examples:SingleSign-On(SSO),OAuth,OpenIDConnect.
Advantages:Simplifiesuserexperience,reducescredentialmanagement.
Challenges:RequirestrustintheIdP,potentialsinglepointoffailure.
MultifactorAuthentication(MFA)
Combinestwoormoreauthenticationfactors(somethingyouknow,have,orare).
Example:Password(knowledge)+OTPfromamobileapp(possession).
Advantages:Significantlyenhancessecuritybyrequiringmultipleproofs.
Applications:Banking,corporatenetworks,cloudservices.
SecureAuthentication
Involvesprotocolsandpracticestoprotectauthenticationprocesses.
Techniques:Encryptedcommunication(e.g.,TLS),securestorageofcredentials(e.g.,hashingpasswordswithbcrypt),
andtime-basedOTPs.
Challenges:Balancingsecuritywithusability,mitigatingattackslikeman-in-the-middle(MITM).
2. Access Control
Def:Accesscontroldetermineswhatauthenticateduserscandowithinasystem.
Itensuresthatuserscanonlyaccesstheresourcesandperformtheoperationstheyareauthorizedfor.
AccessPolicies
Rulesthatdefinewhocanaccesswhatresourcesandunderwhatconditions.Theyspecifythepermissionsgrantedor
deniedtousers.
LeastPrivilege:Usersshouldonlybegrantedtheminimumpermissionsnecessarytoperformtheirjobfunctions.
SeparationofDuties:Nosingleindividualshouldbeabletocompleteacriticaltaskalone;requiresmultipleindividuals
tocompleteaprocess.
KeyTypesofAccessControl:
DiscretionaryAccessControl(DAC):Resourceownerssetpermissions(e.g.,filepermissionsinLinux).
MandatoryAccessControl(MAC):Systemenforcesstrictpolicies(e.g.,SELinux).
Attribute-BasedAccessControl(ABAC):Usesattributes(e.g.,userrole,time)todecideaccess.
Def:Accesscontroldetermineswhatauthenticateduserscandowithinasystem.
Itensuresthatuserscanonlyaccesstheresourcesandperformtheoperationstheyareauthorizedfor.
AccessPolicies
Rulesthatdefinewhocanaccesswhatresourcesandunderwhatconditions.Theyspecifythepermissionsgrantedor
deniedtousers.
LeastPrivilege:Usersshouldonlybegrantedtheminimumpermissionsnecessarytoperformtheirjobfunctions.
SeparationofDuties:Nosingleindividualshouldbeabletocompleteacriticaltaskalone;requiresmultipleindividuals
tocompleteaprocess.
KeyTypesofAccessControl:
DiscretionaryAccessControl(DAC):Resourceownerssetpermissions(e.g.,filepermissionsinLinux).
MandatoryAccessControl(MAC):Systemenforcesstrictpolicies(e.g.,SELinux).
Attribute-BasedAccessControl(ABAC):Usesattributes(e.g.,userrole,time)todecideaccess.
2. Access Control
ImplementingAccessControl
AccessControlLists(ACLs):Specifywhichusersorgroupscanaccessaresourceandwhatactionstheycanperform
(e.g.,read,write).
Capabilities:Tokensorkeysgrantingspecificaccessrightstousers.
Challenges:ManagingcomplexACLs,ensuringleastprivilegeprinciple.
Procedure-OrientedAccessControl
Accessdecisionsarebasedonpredefinedproceduresorworkflows.
Example:Abankingsystemrequiringmanagerapprovalfortransactionsaboveathreshold.
Advantages:Structuredandauditable.
Disadvantages:Canberigidandslow.
Role-BasedAccessControl(RBAC)
Accessisgrantedbasedonuserroleswithinanorganization.
Example:An"Admin"rolehasfullsystemaccess,whilea"Guest"rolehaslimitedaccess.
Advantages:Simplifiesmanagement,scalableforlargeorganizations.
Disadvantages:Roleexplosionincomplexsystems.
ImplementingAccessControl
AccessControlLists(ACLs):Specifywhichusersorgroupscanaccessaresourceandwhatactionstheycanperform
(e.g.,read,write).
Capabilities:Tokensorkeysgrantingspecificaccessrightstousers.
Challenges:ManagingcomplexACLs,ensuringleastprivilegeprinciple.
Procedure-OrientedAccessControl
Accessdecisionsarebasedonpredefinedproceduresorworkflows.
Example:Abankingsystemrequiringmanagerapprovalfortransactionsaboveathreshold.
Advantages:Structuredandauditable.
Disadvantages:Canberigidandslow.
Role-BasedAccessControl(RBAC)
Accessisgrantedbasedonuserroleswithinanorganization.
Example:An"Admin"rolehasfullsystemaccess,whilea"Guest"rolehaslimitedaccess.
Advantages:Simplifiesmanagement,scalableforlargeorganizations.
Disadvantages:Roleexplosionincomplexsystems.
3. Cryptography
Def:Cryptographysecuresinformationbytransformingitintoanunreadableformat,ensuringconfidentiality,
integrity,andauthenticity.
ProblemsAddressedbyEncryption
Confidentiality:Preventsunauthorizedaccesstodata.
Integrity:Ensuresdataisnotalteredduringtransmission.
Authentication:Verifiestheidentityofcommunicatingparties.
Non-repudiation:Provestheoriginandintegrityofdata.
Terminology
Plaintext: Original, readable data.
Ciphertext: Encrypted, unreadable data.
Key: Secret value used to encrypt/decrypt data.
Encryption: Process of converting plaintext to ciphertext.
Decryption: Process of converting ciphertext back to plaintext.
Def:Cryptographysecuresinformationbytransformingitintoanunreadableformat,ensuringconfidentiality,
integrity,andauthenticity.
ProblemsAddressedbyEncryption
Confidentiality:Preventsunauthorizedaccesstodata.
Integrity:Ensuresdataisnotalteredduringtransmission.
Authentication:Verifiestheidentityofcommunicatingparties.
Non-repudiation:Provestheoriginandintegrityofdata.
Terminology
Plaintext: Original, readable data.
Ciphertext: Encrypted, unreadable data.
Key: Secret value used to encrypt/decrypt data.
Encryption: Process of converting plaintext to ciphertext.
Decryption: Process of converting ciphertext back to plaintext.
3. Cryptography
DES:DataEncryptionStandard
Asymmetric-keyalgorithmusinga56-bitkey.
Process:Dividesdatainto64-bitblocks,applies16roundsofpermutationandsubstitution.
Status:Consideredinsecureduetoshortkeylength;replacedbyAES.
Applications:Legacysystems,earlybankingencryption.
AES:AdvancedEncryptionStandard
Asymmetric-keyalgorithmwithkeysizesof128,192,or256bits.
Process:Usessubstitution-permutationnetwork,operateson128-bitblocks.
Advantages:Faster,moresecurethanDES.
Applications:SSL/TLS,VPNs,diskencryption.
PublicKeyCryptography
Usesapairofkeys:public(forencryption)andprivate(fordecryption).Examples:RSA,ECC(EllipticCurve
Cryptography).
Advantages:Eliminatesneedforsecurekeyexchange.
Disadvantages:Computationallyintensive.
DES:DataEncryptionStandard
Asymmetric-keyalgorithmusinga56-bitkey.
Process:Dividesdatainto64-bitblocks,applies16roundsofpermutationandsubstitution.
Status:Consideredinsecureduetoshortkeylength;replacedbyAES.
Applications:Legacysystems,earlybankingencryption.
AES:AdvancedEncryptionStandard
Asymmetric-keyalgorithmwithkeysizesof128,192,or256bits.
Process:Usessubstitution-permutationnetwork,operateson128-bitblocks.
Advantages:Faster,moresecurethanDES.
Applications:SSL/TLS,VPNs,diskencryption.
PublicKeyCryptography
Usesapairofkeys:public(forencryption)andprivate(fordecryption).Examples:RSA,ECC(EllipticCurve
Cryptography).
Advantages:Eliminatesneedforsecurekeyexchange.
Disadvantages:Computationallyintensive.
3. Cryptography
PublicKeyCryptographytoExchangeSecretKeys
Process:Publickeyencryptsasymmetrickey,whichisdecryptedusingtheprivatekey.
Example:Diffie-Hellmankeyexchange,RSAkeytransport.
Applications:Secureemail(PGP),HTTPS.
ErrorDetectingCodes
Usedtodetectdatacorruptionduringtransmission.
Examples:Checksums,CyclicRedundancyCheck(CRC).
Process:Appendacodetodata;receiververifiesintegritybyrecalculatingthecode.
TrustCertificates:TrustableIdentitiesandPublicKeys
DigitalcertificatesissuedbyCertificateAuthorities(CAs)toverifypublickeyownership.
Components:Publickey,identityinfo,CA’sdigitalsignature.
Applications:HTTPS,secureemail,VPNs.
DigitalSignatures
Ensureauthenticityandintegrityofmessages.
Process:Sendersignsmessagewithprivatekey;receiververifieswithpublickey.
Example:Signingsoftwareupdatestoprovetheyarefromatrustedsource.
PublicKeyCryptographytoExchangeSecretKeys
Process:Publickeyencryptsasymmetrickey,whichisdecryptedusingtheprivatekey.
Example:Diffie-Hellmankeyexchange,RSAkeytransport.
Applications:Secureemail(PGP),HTTPS.
ErrorDetectingCodes
Usedtodetectdatacorruptionduringtransmission.
Examples:Checksums,CyclicRedundancyCheck(CRC).
Process:Appendacodetodata;receiververifiesintegritybyrecalculatingthecode.
TrustCertificates:TrustableIdentitiesandPublicKeys
DigitalcertificatesissuedbyCertificateAuthorities(CAs)toverifypublickeyownership.
Components:Publickey,identityinfo,CA’sdigitalsignature.
Applications:HTTPS,secureemail,VPNs.
DigitalSignatures
Ensureauthenticityandintegrityofmessages.
Process:Sendersignsmessagewithprivatekey;receiververifieswithpublickey.
Example:Signingsoftwareupdatestoprovetheyarefromatrustedsource.
Q & A
Thank You
-Saravana Kumar R
UNIT 1.3. –COMPUTER SECURITY
-MALICIOUS CODE
UNIT 1.3. –COMPUTER SECURITY
-MALICIOUS CODE
Agenda
1.Programming Oversights
2.Malicious Code
3.Developer Countermeasures
4.Ineffective Countermeasures
Q&A
1.Programming Oversights
2.Malicious Code
3.Developer Countermeasures
4.Ineffective Countermeasures
Q&A
1. Programming Oversights
Maliciouscode,oftenreferredtoasmalware,issoftwaredesignedtocausedamage,disruptsystems,orgain
unauthorizedaccesstoacomputersystem.
Understandinghowprogrammingoversightscanleadtovulnerabilitiesandhowmaliciouscodeexploitsthemiscrucial
forbuildingsecuresystems.
Programmingoversightsareerrorsorflawsinsoftwaredesignorimplementationthatcreatevulnerabilitiesexploitable
byattackers.Theseoversightscanleadtosignificantsecuritybreachesifnotaddressedduringdevelopment.
1.1BufferOverflows
Definition:Occurswhenaprogramwritesmoredatatoabufferthanitcanhold,overwritingadjacentmemory.
Impact:Attackerscaninjectmaliciouscode,corruptdata,orgainunauthorizedaccess.
Example:Writing100bytestoabufferallocatedfor50bytes,overwritingcriticalprogramdata.
Cause:Lackofinputvalidationorboundschecking.
Mitigation:
Usesafeprogramminglanguages(e.g.,Python,Java)withbuilt-inboundschecking.
EmploytoolslikeAddressSanitizertodetectbufferoverflows.
Validateinputsizebeforeprocessing.
Maliciouscode,oftenreferredtoasmalware,issoftwaredesignedtocausedamage,disruptsystems,orgain
unauthorizedaccesstoacomputersystem.
Understandinghowprogrammingoversightscanleadtovulnerabilitiesandhowmaliciouscodeexploitsthemiscrucial
forbuildingsecuresystems.
Programmingoversightsareerrorsorflawsinsoftwaredesignorimplementationthatcreatevulnerabilitiesexploitable
byattackers.Theseoversightscanleadtosignificantsecuritybreachesifnotaddressedduringdevelopment.
1.1BufferOverflows
Definition:Occurswhenaprogramwritesmoredatatoabufferthanitcanhold,overwritingadjacentmemory.
Impact:Attackerscaninjectmaliciouscode,corruptdata,orgainunauthorizedaccess.
Example:Writing100bytestoabufferallocatedfor50bytes,overwritingcriticalprogramdata.
Cause:Lackofinputvalidationorboundschecking.
Mitigation:
Usesafeprogramminglanguages(e.g.,Python,Java)withbuilt-inboundschecking.
EmploytoolslikeAddressSanitizertodetectbufferoverflows.
Validateinputsizebeforeprocessing.
1. Programming Oversights
1.2Off-by-OneErrors
Definition:Errorswherealooporarrayaccessisoffbyoneindex,accessingunintendedmemoryorskipping
necessaryoperations.
Impact:Cancausecrashes,datacorruption,orvulnerabilitiesforcodeinjection.
Example:Aloopiteratingfrom0toninsteadof0ton-1,accessingmemorybeyondanarray’sbounds.
Cause:Miscalculatingloopboundariesorarrayindices.
Mitigation:
Rigorouscodereviewsandtesting.
Usestandardlibrariesforiterationandarrayaccess.
Staticanalysistoolstodetectoff-by-oneerrors.
1.2Off-by-OneErrors
Definition:Errorswherealooporarrayaccessisoffbyoneindex,accessingunintendedmemoryorskipping
necessaryoperations.
Impact:Cancausecrashes,datacorruption,orvulnerabilitiesforcodeinjection.
Example:Aloopiteratingfrom0toninsteadof0ton-1,accessingmemorybeyondanarray’sbounds.
Cause:Miscalculatingloopboundariesorarrayindices.
Mitigation:
Rigorouscodereviewsandtesting.
Usestandardlibrariesforiterationandarrayaccess.
Staticanalysistoolstodetectoff-by-oneerrors.
1. Programming Oversights
1.3IncompleteMediation
Definition:Failuretofullyvalidateorsanitizeuserinputsbeforeprocessing,allowingunauthorizedactions.
Impact:Attackerscanbypasssecuritychecks,leadingtounauthorizedaccessordatamanipulation.
Example:AwebformacceptingunvalidatedinputthatallowsSQLinjectionorscriptexecution.
Cause:Inadequateinputvalidationorrelianceonclient-sidechecks.
Mitigation:
Implementserver-sideinputvalidationandsanitization.
Usepreparedstatementsfordatabasequeries.
Employframeworkswithbuilt-inmediation(e.g.,Django,Spring).
1.4Time-of-ChecktoTime-of-Use(TOCTOU)Errors
Definition:Araceconditionwherearesource’sstatechangesbetweenthetimeitischeckedandwhenitisused.
Impact:Attackerscanexploitthetimegaptoalterresources,gainingunauthorizedaccessorcausingerrors.
Example:Aprogramchecksfilepermissionsbutusesthefilelater,allowinganattackertoreplaceitwithamalicious
file.
Cause:Lackofatomicoperationsinconcurrentsystems.
Mitigation:
Useatomicoperationsorfilelockingmechanisms.
Minimizetimebetweencheckanduse.
Avoidrelianceonexternalresourcestates.
1.3IncompleteMediation
Definition:Failuretofullyvalidateorsanitizeuserinputsbeforeprocessing,allowingunauthorizedactions.
Impact:Attackerscanbypasssecuritychecks,leadingtounauthorizedaccessordatamanipulation.
Example:AwebformacceptingunvalidatedinputthatallowsSQLinjectionorscriptexecution.
Cause:Inadequateinputvalidationorrelianceonclient-sidechecks.
Mitigation:
Implementserver-sideinputvalidationandsanitization.
Usepreparedstatementsfordatabasequeries.
Employframeworkswithbuilt-inmediation(e.g.,Django,Spring).
1.4Time-of-ChecktoTime-of-Use(TOCTOU)Errors
Definition:Araceconditionwherearesource’sstatechangesbetweenthetimeitischeckedandwhenitisused.
Impact:Attackerscanexploitthetimegaptoalterresources,gainingunauthorizedaccessorcausingerrors.
Example:Aprogramchecksfilepermissionsbutusesthefilelater,allowinganattackertoreplaceitwithamalicious
file.
Cause:Lackofatomicoperationsinconcurrentsystems.
Mitigation:
Useatomicoperationsorfilelockingmechanisms.
Minimizetimebetweencheckanduse.
Avoidrelianceonexternalresourcestates.
2. Malicious Code
Maliciouscode(malware)issoftwaredesignedtoharm,disrupt,orgainunauthorizedaccesstosystems,networks,or
data.
2.1Viruses:Codethatattachesitselftolegitimateprograms,spreadingbyinfectingotherfilesorsystemswhenexecuted.
Characteristics:
Requiresuseractiontospread(e.g.,openinganinfectedfile).
Cancorruptfiles,stealdata,orcausesystemcrashes.
Example:AmacrovirusinaWorddocumentthatinfectsotherdocuments.
Propagation:Viaemailattachments,infectedsoftware,orremovablemedia.
2.2Worms:Self-replicatingcodethatspreadsindependentlyacrossnetworkswithoutrequiringuserinteraction.
Characteristics:
Exploitsnetworkvulnerabilitiesorweakpasswords.
Canconsumebandwidth,installbackdoors,ordeliverpayloads.
Example:TheWannaCrywormexploitingSMBvulnerabilitiestoencryptfiles.
Propagation:Throughnetworkservices,email,ordirectconnections.
2.3TrojanHorses:Malwaredisguisedaslegitimatesoftwaretotrickusersintoinstallingit.
Characteristics:
Doesnotself-replicate;reliesonsocialengineering.
Cancreatebackdoors,stealdata,orspyonusers.
Example:Afakeantivirusprogramthatinstallsspyware.
Propagation:Viadownloads,phishingemails,ormaliciouswebsites.
Maliciouscode(malware)issoftwaredesignedtoharm,disrupt,orgainunauthorizedaccesstosystems,networks,or
data.
2.1Viruses:Codethatattachesitselftolegitimateprograms,spreadingbyinfectingotherfilesorsystemswhenexecuted.
Characteristics:
Requiresuseractiontospread(e.g.,openinganinfectedfile).
Cancorruptfiles,stealdata,orcausesystemcrashes.
Example:AmacrovirusinaWorddocumentthatinfectsotherdocuments.
Propagation:Viaemailattachments,infectedsoftware,orremovablemedia.
2.2Worms:Self-replicatingcodethatspreadsindependentlyacrossnetworkswithoutrequiringuserinteraction.
Characteristics:
Exploitsnetworkvulnerabilitiesorweakpasswords.
Canconsumebandwidth,installbackdoors,ordeliverpayloads.
Example:TheWannaCrywormexploitingSMBvulnerabilitiestoencryptfiles.
Propagation:Throughnetworkservices,email,ordirectconnections.
2.3TrojanHorses:Malwaredisguisedaslegitimatesoftwaretotrickusersintoinstallingit.
Characteristics:
Doesnotself-replicate;reliesonsocialengineering.
Cancreatebackdoors,stealdata,orspyonusers.
Example:Afakeantivirusprogramthatinstallsspyware.
Propagation:Viadownloads,phishingemails,ormaliciouswebsites.
3. Developer Countermeasures
3.DeveloperCountermeasures:Developerscanadopttechniquesandprinciplestopreventormitigatevulnerabilitiesand
maliciouscode.
3.1ProgramDevelopmentTechniques
InputValidationandSanitization:
Validatealluserinputsfortype,length,andformat.
Sanitizeinputstoremovemaliciouscontent(e.g.,stripHTMLtags).
SecureCodingPractices:
Usesafefunctions(e.g.,strncpyinsteadofstrcpyinC).
Avoidhardcodingsensitivedata(e.g.,APIkeys).
CodeReviewsandTesting:
Conductpeerreviewstocatcherrorsearly.
Usestaticanddynamicanalysistoolstoidentifyvulnerabilities.
Performpenetrationtestingtosimulateattacks.
ModularDesign:
Breakcodeintosmaller,testablemodulestoisolateerrors.
Limitthescopeofvariablesandfunctionstoreduceunintendedaccess.
3.2SecurityPrinciples
LeastPrivilege:Grantonlytheminimumpermissionsneededforatask.
DefenseinDepth:Usemultiplelayersofsecurity(e.g.,firewalls,encryption,authentication).
Fail-SafeDefaults:Denyaccessbydefault;explicitlygrantpermissions.
SecurebyDesign:Incorporatesecurityfromthestartofthedevelopmentlifecycle.
KeepItSimple:Avoidcomplexcodethatincreasestheriskoferrors.
3.DeveloperCountermeasures:Developerscanadopttechniquesandprinciplestopreventormitigatevulnerabilitiesand
maliciouscode.
3.1ProgramDevelopmentTechniques
InputValidationandSanitization:
Validatealluserinputsfortype,length,andformat.
Sanitizeinputstoremovemaliciouscontent(e.g.,stripHTMLtags).
SecureCodingPractices:
Usesafefunctions(e.g.,strncpyinsteadofstrcpyinC).
Avoidhardcodingsensitivedata(e.g.,APIkeys).
CodeReviewsandTesting:
Conductpeerreviewstocatcherrorsearly.
Usestaticanddynamicanalysistoolstoidentifyvulnerabilities.
Performpenetrationtestingtosimulateattacks.
ModularDesign:
Breakcodeintosmaller,testablemodulestoisolateerrors.
Limitthescopeofvariablesandfunctionstoreduceunintendedaccess.
3.2SecurityPrinciples
LeastPrivilege:Grantonlytheminimumpermissionsneededforatask.
DefenseinDepth:Usemultiplelayersofsecurity(e.g.,firewalls,encryption,authentication).
Fail-SafeDefaults:Denyaccessbydefault;explicitlygrantpermissions.
SecurebyDesign:Incorporatesecurityfromthestartofthedevelopmentlifecycle.
KeepItSimple:Avoidcomplexcodethatincreasestheriskoferrors.
4. Ineffective Countermeasures
Somecountermeasuresfailtoprovideadequateprotectionduetoimproperimplementationorinherentweaknesses:
4.1.RelyingSolelyonClient-SideValidation:
Easilybypassedbyattackersmanipulatingclient-sidecode.
Solution:Alwaysuseserver-sidevalidation.
4.2.OutdatedSoftware:
Unpatchedsystemsarevulnerabletoknownexploits.
Solution:Regularlyupdateandpatchsoftware.
4.3.WeakPasswordPolicies:
Simplepasswordsareeasilycracked.
Solution:EnforcestrongpasswordrequirementsandMFA.
4.4.IgnoringLoggingandMonitoring:
Failuretodetectattacksinreal-time.
Solution:Implementrobustloggingandintrusiondetectionsystems.
4.5.OverrelianceonAntivirusSoftware:
Cannotdetectzero-dayexploitsoradvancedmalware.
Solution:Combinewithotherdefenseslikefirewallsandsandboxing.
Somecountermeasuresfailtoprovideadequateprotectionduetoimproperimplementationorinherentweaknesses:
4.1.RelyingSolelyonClient-SideValidation:
Easilybypassedbyattackersmanipulatingclient-sidecode.
Solution:Alwaysuseserver-sidevalidation.
4.2.OutdatedSoftware:
Unpatchedsystemsarevulnerabletoknownexploits.
Solution:Regularlyupdateandpatchsoftware.
4.3.WeakPasswordPolicies:
Simplepasswordsareeasilycracked.
Solution:EnforcestrongpasswordrequirementsandMFA.
4.4.IgnoringLoggingandMonitoring:
Failuretodetectattacksinreal-time.
Solution:Implementrobustloggingandintrusiondetectionsystems.
4.5.OverrelianceonAntivirusSoftware:
Cannotdetectzero-dayexploitsoradvancedmalware.
Solution:Combinewithotherdefenseslikefirewallsandsandboxing.
Q & A
Thank You
-Saravana Kumar R
UNIT 1.4. –COMPUTER SECURITY
–WEB USER SIDE: BROWSER ATTACKS, WEB
ATTACKS, EMAIL ATTACKS
UNIT 1.4. –COMPUTER SECURITY
–WEB USER SIDE: BROWSER ATTACKS, WEB
ATTACKS, EMAIL ATTACKS
Agenda
1.Browser Attacks
2.Web Attacks Targeting Users
3.Obtaining User or Website Data
4.Email Attacks
5.Conclusion
Q&A
1.Browser Attacks
2.Web Attacks Targeting Users
3.Obtaining User or Website Data
4.Email Attacks
5.Conclusion
Q&A
1. Browser Attacks
BrowserAttackstargetvulnerabilitiesinwebbrowserstocompromiseusersystems,stealdata,ormanipulatebrowsing
sessions.
BrowserAttackTypes
1.Cross-SiteScripting(XSS):Injectingmaliciousscriptsintotrustedwebsites.
Types:Reflected(viaURL),Stored(persistentonserver),DOM(DocumentObjectModel)-based(client-side).
Impact:Stealscookies,sessiontokens,orredirectsuserstomalicioussites.
2.Cross-SiteRequestForgery(CSRF):Tricksusersintoperformingunintendedactionsonatrustedsitewheretheyare
authenticated.
Example:Submittingamaliciousformtotransferfundsfromauser’sbankaccount.
3.Man-in-the-Browser(MitB):Malwaremodifiesbrowserbehaviororinterceptsdatabetweentheuserandserver.
Example:Alteringtransactiondetailsinonlinebanking.
4.Drive-byDownloads:Automaticallydownloadsmalwarewhenvisitingacompromisedwebsite.
Exploitsbrowserorpluginvulnerabilities.
5.SessionHijacking:Stealssessioncookiestoimpersonateauser.
Example:Usingstolencookiestoaccessauser’semailaccount.
BrowserAttackstargetvulnerabilitiesinwebbrowserstocompromiseusersystems,stealdata,ormanipulatebrowsing
sessions.
BrowserAttackTypes
1.Cross-SiteScripting(XSS):Injectingmaliciousscriptsintotrustedwebsites.
Types:Reflected(viaURL),Stored(persistentonserver),DOM(DocumentObjectModel)-based(client-side).
Impact:Stealscookies,sessiontokens,orredirectsuserstomalicioussites.
2.Cross-SiteRequestForgery(CSRF):Tricksusersintoperformingunintendedactionsonatrustedsitewheretheyare
authenticated.
Example:Submittingamaliciousformtotransferfundsfromauser’sbankaccount.
3.Man-in-the-Browser(MitB):Malwaremodifiesbrowserbehaviororinterceptsdatabetweentheuserandserver.
Example:Alteringtransactiondetailsinonlinebanking.
4.Drive-byDownloads:Automaticallydownloadsmalwarewhenvisitingacompromisedwebsite.
Exploitsbrowserorpluginvulnerabilities.
5.SessionHijacking:Stealssessioncookiestoimpersonateauser.
Example:Usingstolencookiestoaccessauser’semailaccount.
1. Browser Attacks
HowBrowserAttacksSucceed:FailedIdentificationandAuthentication
WeakAuthentication:
Browsersrelyoncookiesortokensforsessionmanagement,whichcanbestolenifnotsecurelyhandled.
LackofInputValidation:
WebsitesfailingtosanitizeuserinputsallowXSSorSQLinjection.
OutdatedSoftware:
Unpatchedbrowsersorplugins(e.g.,Flash,Java)arevulnerabletoexploits.
SocialEngineering:
Usersaretrickedintoclickingmaliciouslinksordownloadingfiles.
InsecureProtocols:
Non-HTTPSconnectionsallowattackerstointerceptdata.
Mitigation:
UseHTTPSforsecurecommunication.
Regularlyupdatebrowsersandplugins.
EmployContentSecurityPolicy(CSP)torestrictscriptexecution.
Usebrowsersecurityfeatures(e.g.,sandboxing,SafeBrowsing).
HowBrowserAttacksSucceed:FailedIdentificationandAuthentication
WeakAuthentication:
Browsersrelyoncookiesortokensforsessionmanagement,whichcanbestolenifnotsecurelyhandled.
LackofInputValidation:
WebsitesfailingtosanitizeuserinputsallowXSSorSQLinjection.
OutdatedSoftware:
Unpatchedbrowsersorplugins(e.g.,Flash,Java)arevulnerabletoexploits.
SocialEngineering:
Usersaretrickedintoclickingmaliciouslinksordownloadingfiles.
InsecureProtocols:
Non-HTTPSconnectionsallowattackerstointerceptdata.
Mitigation:
UseHTTPSforsecurecommunication.
Regularlyupdatebrowsersandplugins.
EmployContentSecurityPolicy(CSP)torestrictscriptexecution.
Usebrowsersecurityfeatures(e.g.,sandboxing,SafeBrowsing).
2. Web Attacks Targeting Users
Theseattacksexploitusertrustorbehaviortodelivermaliciouscontentorstealinformation.
2.1.FalseorMisleadingContent:
Contentdesignedtodeceiveusersintoperformingharmfulactions.
Examples:
Fakeloginpagesmimickinglegitimatesites.
Misleadingadspromotingfakesoftwareupdates.
Impact:Leadstocredentialtheft,malwareinstallation,orfinancialscams.
Mitigation:
VerifywebsiteURLsandSSLcertificates.
Avoidclickingsuspiciousadsorlinks.
Educateusersaboutphishingtactics.
Note:SSL(SecureSocketsLayer)isacryptographicprotocolusedtoprovidesecurecommunicationbetweenaweb
browserandawebserver.Itensuresthatdataexchangedbetweenthebrowserandserverremainsencryptedand
protectedfromeavesdropping,tampering,andman-in-the-middleattacks.
Theseattacksexploitusertrustorbehaviortodelivermaliciouscontentorstealinformation.
2.1.FalseorMisleadingContent:
Contentdesignedtodeceiveusersintoperformingharmfulactions.
Examples:
Fakeloginpagesmimickinglegitimatesites.
Misleadingadspromotingfakesoftwareupdates.
Impact:Leadstocredentialtheft,malwareinstallation,orfinancialscams.
Mitigation:
VerifywebsiteURLsandSSLcertificates.
Avoidclickingsuspiciousadsorlinks.
Educateusersaboutphishingtactics.
Note:SSL(SecureSocketsLayer)isacryptographicprotocolusedtoprovidesecurecommunicationbetweenaweb
browserandawebserver.Itensuresthatdataexchangedbetweenthebrowserandserverremainsencryptedand
protectedfromeavesdropping,tampering,andman-in-the-middleattacks.
2. Web Attacks Targeting Users
2.2.MaliciousWebContent:Webpagescontainingharmfulscriptsorfiles.
Examples:
MaliciousJavaScriptexecutingdrive-bydownloads.
Iframesloadingmaliciouscontentfromexternalsites.
Impact:Installsmalware,stealsdata,orcompromisesuserdevices.
Mitigation:
Disableunnecessaryplugins(e.g.,Flash).
Useadblockerstopreventmaliciousads.
Employantivirussoftwarewithreal-timeprotection.
Note:Iframes(InlineFrames)areHTMLelementsthatallowyoutoembedcontentfromanotherwebsite
orsourcewithinawebpage.Theycreateaframeorwindowwithinthepagethatdisplayscontentfroma
differentURL.
2.2.MaliciousWebContent:Webpagescontainingharmfulscriptsorfiles.
Examples:
MaliciousJavaScriptexecutingdrive-bydownloads.
Iframesloadingmaliciouscontentfromexternalsites.
Impact:Installsmalware,stealsdata,orcompromisesuserdevices.
Mitigation:
Disableunnecessaryplugins(e.g.,Flash).
Useadblockerstopreventmaliciousads.
Employantivirussoftwarewithreal-timeprotection.
Note:Iframes(InlineFrames)areHTMLelementsthatallowyoutoembedcontentfromanotherwebsite
orsourcewithinawebpage.Theycreateaframeorwindowwithinthepagethatdisplayscontentfroma
differentURL.
2. Web Attacks Targeting Users
2.3.ProtectingAgainstMaliciousWebPages
BrowserSecuritySettings:
Enablepop-upblockersanddisableautomaticdownloads.
Useprivatebrowsingmodestolimitdatastorage.
WebFilters:DeployURLfilteringtoblockknownmalicioussites.
UserEducation:Trainuserstorecognizesuspiciouswebsites(e.g.,misspellingsinURLs).
SecureDevelopment:DevelopersshoulduseCSP,sanitizeinputs,andavoidinlinescripts.
Note:CSP(ContentSecurityPolicy)isasecurityfeaturethathelpspreventcross-sitescripting(XSS)attacksandother
typesofmaliciouscontentinjection.Itallowsdeveloperstodefinewhichsourcesofcontentareallowedtobeexecuted
withinawebpage.
2.3.ProtectingAgainstMaliciousWebPages
BrowserSecuritySettings:
Enablepop-upblockersanddisableautomaticdownloads.
Useprivatebrowsingmodestolimitdatastorage.
WebFilters:DeployURLfilteringtoblockknownmalicioussites.
UserEducation:Trainuserstorecognizesuspiciouswebsites(e.g.,misspellingsinURLs).
SecureDevelopment:DevelopersshoulduseCSP,sanitizeinputs,andavoidinlinescripts.
Note:CSP(ContentSecurityPolicy)isasecurityfeaturethathelpspreventcross-sitescripting(XSS)attacksandother
typesofmaliciouscontentinjection.Itallowsdeveloperstodefinewhichsourcesofcontentareallowedtobeexecuted
withinawebpage.
3. Obtaining User or Website Data
Attackerstargetsensitivedatastoredortransmittedbyusersandwebsites.
3.1.CodeWithinData
Definition:Embeddingmaliciouscodeindatafields(e.g.,forms,URLs).
Examples:
XSSattacksinjecting<script>tagsinuserinputs.
SQLinjectionembeddingmaliciousSQLcommands.
Impact:
Executesunauthorizedcode,stealsdata,orescalatesprivileges.
Mitigation:
Sanitizeandvalidateallinputs.
Usepreparedstatementsfordatabasequeries.
Encodeoutputtopreventscriptexecution.
Attackerstargetsensitivedatastoredortransmittedbyusersandwebsites.
3.1.CodeWithinData
Definition:Embeddingmaliciouscodeindatafields(e.g.,forms,URLs).
Examples:
XSSattacksinjecting<script>tagsinuserinputs.
SQLinjectionembeddingmaliciousSQLcommands.
Impact:
Executesunauthorizedcode,stealsdata,orescalatesprivileges.
Mitigation:
Sanitizeandvalidateallinputs.
Usepreparedstatementsfordatabasequeries.
Encodeoutputtopreventscriptexecution.
3. Obtaining User or Website Data
3.2.WebsiteData:AUser’sProblem,Too
Issue:Usersareaffectedwhenwebsitesstoresensitivedatainsecurely.
Examples:
Unencryptedstorageofpasswordsorcreditcarddetails.
Leakeddataduetoservermisconfigurations.
Impact:Databreachesexposeuserinformation,leadingtoidentitytheftorfraud.
Mitigation:
Useencryption(e.g.,AESforstorage,TLSfortransmission).
(AES:AdvancedEncryptionStandard,TLS:TransportLayerSecurity)
Followsecurecodingpractices(e.g.,OWASPguidelines).
(OWASP:OpenWebApplicationSecurityProject)
Regularsecurityauditsandpenetrationtesting.
3.3.FoilingDataAttacks
Client-Side:
Usestrongpasswordsandmulti-factorauthentication(MFA).
Avoidsavingsensitivedatainbrowsers(e.g.,autofill).
Server-Side:
Implementsecuresessionmanagement(e.g.,HttpOnlycookies).
Useparameterizedqueriestopreventinjectionattacks.
Network-Level:
DeployWebApplicationFirewalls(WAFs).
UseVPNsforsecureconnectionsonpublicnetworks.
3.2.WebsiteData:AUser’sProblem,Too
Issue:Usersareaffectedwhenwebsitesstoresensitivedatainsecurely.
Examples:
Unencryptedstorageofpasswordsorcreditcarddetails.
Leakeddataduetoservermisconfigurations.
Impact:Databreachesexposeuserinformation,leadingtoidentitytheftorfraud.
Mitigation:
Useencryption(e.g.,AESforstorage,TLSfortransmission).
(AES:AdvancedEncryptionStandard,TLS:TransportLayerSecurity)
Followsecurecodingpractices(e.g.,OWASPguidelines).
(OWASP:OpenWebApplicationSecurityProject)
Regularsecurityauditsandpenetrationtesting.
3.3.FoilingDataAttacks
Client-Side:
Usestrongpasswordsandmulti-factorauthentication(MFA).
Avoidsavingsensitivedatainbrowsers(e.g.,autofill).
Server-Side:
Implementsecuresessionmanagement(e.g.,HttpOnlycookies).
Useparameterizedqueriestopreventinjectionattacks.
Network-Level:
DeployWebApplicationFirewalls(WAFs).
UseVPNsforsecureconnectionsonpublicnetworks.
4. Email Attacks
Emailattacksexploitemailsystemstodeceiveusersordelivermaliciouspayloads.
4.1.FakeEmail-Emailspretendingtocomefromlegitimatesources.
Examples:
Spoofedemailsmimickingabank’sdomain.
Emailswithforgedsenderaddresses.
Impact:
Tricksusersintorevealingcredentialsordownloadingmalware.
4.2.FakeEmailMessagesasSpam- Unsolicitedemails,oftencontaining
maliciouslinksorattachments.
Examples:
Spamofferingfakerewardsorpromotions.
EmailswithinfectedPDFattachments.
Impact:
Deliversmalware,phishinglinks,orscams.
Emailattacksexploitemailsystemstodeceiveusersordelivermaliciouspayloads.
4.1.FakeEmail-Emailspretendingtocomefromlegitimatesources.
Examples:
Spoofedemailsmimickingabank’sdomain.
Emailswithforgedsenderaddresses.
Impact:
Tricksusersintorevealingcredentialsordownloadingmalware.
4.2.FakeEmailMessagesasSpam- Unsolicitedemails,oftencontaining
maliciouslinksorattachments.
Examples:
Spamofferingfakerewardsorpromotions.
EmailswithinfectedPDFattachments.
Impact:
Deliversmalware,phishinglinks,orscams.
4. Email Attacks
4.3.Fake(Inaccurate)EmailHeaderData-Forgedheaderstohidetheemail’strueorigin.
Examples:
Spoofed“From”fieldtoimpersonateatrustedsender.
Manipulated“Reply-To”toredirectresponses.
Impact:Increasessuccessofphishingorspamcampaigns.
Mitigation:
ImplementSPF,DKIM,andDMARCforemailauthentication.
Verifysenderdomainsbeforeactingonemails.
(SPF:SenderPolicyFramework,DMARC:DomainkeysIdentifiedMail,Domain-basedMessage
Authentication,ReportingandConformance)
4.3.Fake(Inaccurate)EmailHeaderData-Forgedheaderstohidetheemail’strueorigin.
Examples:
Spoofed“From”fieldtoimpersonateatrustedsender.
Manipulated“Reply-To”toredirectresponses.
Impact:Increasessuccessofphishingorspamcampaigns.
Mitigation:
ImplementSPF,DKIM,andDMARCforemailauthentication.
Verifysenderdomainsbeforeactingonemails.
(SPF:SenderPolicyFramework,DMARC:DomainkeysIdentifiedMail,Domain-basedMessage
Authentication,ReportingandConformance)
4. Email Attacks
4.4.Phishing-Emailstrickingusersintoprovidingsensitiveinformationorclickingmaliciouslinks.
Types:
SpearPhishing:Targetedattacksonspecificindividuals.
Whaling:Targetinghigh-profileindividuals(e.g.,executives).
Examples:Fakeloginpromptsforbankingoremailaccounts.
Impact:Credentialtheft,financialloss,ormalwareinfection.ProtectingAgainstEmailAttacks
TechnicalMeasures:
Useemailfilterstoblockspamandmaliciousattachments.
DeploySPF,DKIM,andDMARCtopreventemailspoofing.
Scanattachmentswithantivirussoftware.
UserPractices:
Avoidclickinglinksordownloadingattachmentsfromunknownsources.
Verifyemailsenderauthenticity(e.g.,checkdomain).
Useseparateemailaccountsforsensitiveactivities.
OrganizationalPolicies:
Trainemployeesonphishingawareness.
Implementemailencryptionforsensitivecommunications.
4.4.Phishing-Emailstrickingusersintoprovidingsensitiveinformationorclickingmaliciouslinks.
Types:
SpearPhishing:Targetedattacksonspecificindividuals.
Whaling:Targetinghigh-profileindividuals(e.g.,executives).
Examples:Fakeloginpromptsforbankingoremailaccounts.
Impact:Credentialtheft,financialloss,ormalwareinfection.ProtectingAgainstEmailAttacks
TechnicalMeasures:
Useemailfilterstoblockspamandmaliciousattachments.
DeploySPF,DKIM,andDMARCtopreventemailspoofing.
Scanattachmentswithantivirussoftware.
UserPractices:
Avoidclickinglinksordownloadingattachmentsfromunknownsources.
Verifyemailsenderauthenticity(e.g.,checkdomain).
Useseparateemailaccountsforsensitiveactivities.
OrganizationalPolicies:
Trainemployeesonphishingawareness.
Implementemailencryptionforsensitivecommunications.
4. Email Attacks
ProtectingAgainstEmailAttacks
TechnicalMeasures:
Useemailfilterstoblockspamandmaliciousattachments.
DeploySPF,DKIM,andDMARCtopreventemailspoofing.
Scanattachmentswithantivirussoftware.
UserPractices:
Avoidclickinglinksordownloadingattachmentsfromunknownsources.
Verifyemailsenderauthenticity(e.g.,checkdomain).
Useseparateemailaccountsforsensitiveactivities.
OrganizationalPolicies:
Trainemployeesonphishingawareness.
Implementemailencryptionforsensitivecommunications.
Note:SPF,DKIMandDMARCareEmailAuthenticationProtocols
1.SPF(SenderPolicyFramework):Verifiessender'sIPaddressisauthorizedtosendemailsforadomain.
2.DKIM(DomainKeysIdentifiedMail):Addsdigitalsignaturetoensureemailcontentauthenticity.
3.DMARC(Domain-basedMessageAuthentication,Reporting,andConformance):Specifiesactionsfor
unauthenticatedemailsandprovidesreporting.
ProtectingAgainstEmailAttacks
TechnicalMeasures:
Useemailfilterstoblockspamandmaliciousattachments.
DeploySPF,DKIM,andDMARCtopreventemailspoofing.
Scanattachmentswithantivirussoftware.
UserPractices:
Avoidclickinglinksordownloadingattachmentsfromunknownsources.
Verifyemailsenderauthenticity(e.g.,checkdomain).
Useseparateemailaccountsforsensitiveactivities.
OrganizationalPolicies:
Trainemployeesonphishingawareness.
Implementemailencryptionforsensitivecommunications.
Note:SPF,DKIMandDMARCareEmailAuthenticationProtocols
1.SPF(SenderPolicyFramework):Verifiessender'sIPaddressisauthorizedtosendemailsforadomain.
2.DKIM(DomainKeysIdentifiedMail):Addsdigitalsignaturetoensureemailcontentauthenticity.
3.DMARC(Domain-basedMessageAuthentication,Reporting,andConformance):Specifiesactionsfor
unauthenticatedemailsandprovidesreporting.
5. Conclusion
Webandemailattacksexploitusertrust,browservulnerabilities,andpoorsecuritypracticestocompromisesystems
anddata.
BrowserattackslikeXSSandCSRFsucceedduetofailedauthenticationandoutdatedsoftware.
Webattacksusemisleadingormaliciouscontenttodeceiveusers,whiledataattackstargetsensitiveinformation
throughinjectionorbreaches.
Emailattacks,includingphishingandspam,relyonsocialengineeringandspoofing.
Effectivecountermeasuresincludesecurecoding,usereducation,encryption,androbustauthenticationprotocolsto
ensureasecurewebexperience.
Note:
BrowserAttackFactors
1.XSS(Cross-SiteScripting):Injectsmaliciousscriptsintowebsites.
2.CSRF(Cross-SiteRequestForgery):Tricksusersintoperformingunintendedactions.
Mitigations
1.Regularupdatesandpatches
2.Inputvalidationandsanitization
3.Securesessionmanagement
Webandemailattacksexploitusertrust,browservulnerabilities,andpoorsecuritypracticestocompromisesystems
anddata.
BrowserattackslikeXSSandCSRFsucceedduetofailedauthenticationandoutdatedsoftware.
Webattacksusemisleadingormaliciouscontenttodeceiveusers,whiledataattackstargetsensitiveinformation
throughinjectionorbreaches.
Emailattacks,includingphishingandspam,relyonsocialengineeringandspoofing.
Effectivecountermeasuresincludesecurecoding,usereducation,encryption,androbustauthenticationprotocolsto
ensureasecurewebexperience.
Note:
BrowserAttackFactors
1.XSS(Cross-SiteScripting):Injectsmaliciousscriptsintowebsites.
2.CSRF(Cross-SiteRequestForgery):Tricksusersintoperformingunintendedactions.
Mitigations
1.Regularupdatesandpatches
2.Inputvalidationandsanitization
3.Securesessionmanagement
Q & A
Thank You
Tags
Categories
EducationDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 8
- Slides 52
- Age 80 days
Related Slideshows
11
TLE-9-Prepare-Salad-and-Dressing.pptxkkk
MaAngelicaCanceran
32 views
12
LESSON 1 ABOUT MEDIA AND INFORMATION.pptx
JojitGueta
27 views
60
GRADE-8-AQUACULTURE-WEEKQ1.pdfdfawgwyrsewru
MaAngelicaCanceran
42 views
26
Feelings PP Game FOR CHILDREN IN ELEMENTARY SCHOOL.pptx
KaistaGlow
41 views
![Jeopardy_Figures_of_Speech_Template.pptx [Autosaved].pptx](https://slidepub.com/thumb/5828/284015828.jpg)
54
Jeopardy_Figures_of_Speech_Template.pptx [Autosaved].pptx
acecamero20
25 views
7
Jeopardy_Figures_of_Speech.pptxvdsvdsvsdvsd
acecamero20
25 views