Security Overview

Dr. Greg M. Bernstein

October 14th, 2019

Web Security Overview

Outline

  • InfoSec concepts: Confidentiality, Integrity, Availability
  • Threats: OWASP Top 10
  • Authentication, Authorization, and Accounting
  • Session Management

References

Confidentiality

From MDN/NIST:

Confidentiality refers to protecting information from being accessed by unauthorized parties. In other words, only the people who are authorized to do so can gain access to sensitive data.

Imagine your bank records. You should be able to access them, of course, and employees at the bank who are helping you with a transaction should be able to access them, but no one else should. A failure to maintain confidentiality means that someone who shouldn’t have access has managed to get it, through intentional behavior or by accident.

Confidentiality

From MDN/NIST:

Such a failure of confidentiality, commonly known as a breach, typically cannot be remedied. Once the secret has been revealed, there’s no way to un-reveal it. If your bank records are posted on a public website, everyone can know your bank account number, balance, etc., and that information can’t be erased from their minds, papers, computers, and other places. Nearly all the major security incidents reported in the media today involve major losses of confidentiality.

Integrity

From MDN/NIST:

Integrity refers to ensuring the authenticity of information—that information is not altered, and that the source of the information is genuine. Imagine that you have a website and you sell products on that site. Now imagine that an attacker can shop on your web site and maliciously alter the prices of your products, so that they can buy anything for whatever price they choose. That would be a failure of integrity, because your information—in this case, the price of a product—has been altered and you didn’t authorize this alteration.

Integrity

From MDN/NIST:

Another example of a failure of integrity is when you try to connect to a website and a malicious attacker between you and the website redirects your traffic to a different website. In this case, the site you are directed to is not genuine.

Availability

From Wikipedia

For any information system to serve its purpose, the information must be available when it is needed. This means the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly.

Ensuring availability also involves preventing denial-of-service attacks, such as a flood of incoming messages to the target system, essentially forcing it to shut down.

Access Control

The AAA Framework

How do we control who can see and modify data? The most common approach is based on the trio of:

  • Authentication
  • Authorization
  • Accounting

Authentication

From Wikipedia

Authentication is the act of verifying a claim of identity.

Authentication: Analog Example

From Wikipedia

When John Doe goes into a bank to make a withdrawal, he tells the bank teller he is John Doe, a claim of identity. The bank teller asks to see a photo ID, so he hands the teller his driver’s license. The bank teller checks the license to make sure it has John Doe printed on it and compares the photograph on the license against the person claiming to be John Doe. If the photo and name match the person, then the teller has authenticated that John Doe is who he claimed to be.

Authentication Information

From Wikipedia

There are three different types of information that can be used for authentication:

  • Something you know: things such as a PIN, a password, etc…
  • Something you have: a driver’s license or a magnetic swipe card
  • Something you are: biometrics, including fingerprints, retina (eye) scans, etc…

Multi-Factor Authorization

For stronger authentication multiple pieces of authentication information can be use including those from multiple categories (know, have, are)

Authorization

From Wikipedia

After a person, program or computer has successfully been identified and authenticated then it must be determined what informational resources they are permitted to access and what actions they will be allowed to perform (run, view, create, delete, or change). This is called authorization. Authorization to access information and other computing services begins with administrative policies and procedures.

Authorization Systems

  • Role Based Access Control (RBAC): Example BlackBoard (LMS) – admin, student, teacher, grader
  • File permissions: Example Linux user, group, and other permissions
  • Access Control Lists: Commonly used in firewalls and routers

Accounting

We use logging and monitoring to determine:

  • Who is using the system(s)?
  • How are they using the systems?
  • Is that use appropriate?

Threats

What are threats?

Threats are any mechanism or technique that can intentionally or accidentally compromise the confidentiality, integrity or availability of a system.

Threat Classification

  • Threats can be broadly or narrowly classified
  • These stem from general approaches to specific attack vectors

OWASP Top Ten Threat Project

“A primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most common and most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas, and provides guidance on where to go from here.”

OWASP Top Ten 1-4

  • A1: Injection
  • A2: Broken Authentication
  • A3: Sensitive Data Exposure
  • A4: XML External Entities Not applicable to us

OWASP Top Ten 5-7

  • A5: Broken Access Control
  • A6: Security Misconfiguration
  • A7: Cross-Site Scripting (XSS) A type of injection

OWASP Top Ten 8-10

  • A8: Insecure Deserialization
  • A9: Using Components with Known Vulnerabilities
  • A10: Insufficient Logging & Monitoring

Applicability of OWASP to CS651

Multi User Web Application Project

  • We need to support multiple-users
  • Users have both private and shared information
  • Users have different roles
  • Users create and modify information via the application

Injection

Almost any source of data can be an injection vector, environment variables, parameters, external and internal web services, and all types of users. Injection flaws occur when an attacker can send hostile data to an interpreter.

This is almost entirely a software development issue

Broken Authentication 1

From OWASP Broken Authentication

Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools. Session management attacks are well understood, particularly in relation to unexpired session tokens.

Broken Authentication 2

From OWASP Broken Authentication

The prevalence of broken authentication is widespread due to the design and implementation of most identity and access controls. Session management is the bedrock of authentication and access controls, and is present in all stateful applications.

CS651 Implications

  • We must implement access control (authentication, authorization) for our multi-user web application.
  • We have to implement session management to enable the above!