CNIT 271: Midterm 2

avatar
Created by
Jali

Cards (38)

  • IoT refers to the interconnection of smart devices, ranging from appliances to tiny sensors
  • Objects deliver sensor info, act on their environment, and modify themselves to create overall management of a larger system
  • Deeply embedded devices are low-bandwidth, low-repetition data capture, and low-bandwidth data-usage appliances that communicate with each other
  • Embedded appliances such as high-resolution video security cameras and VoIP phones require high-bandwidth streaming capabilities
  • The Four gens of deployment for IoT
    • Info Tech
    • Operational Tech
    • Personal Tech
    • Sensor/Actuator Tech
  • IoT Components
    • Sensor
    • Actuator
    • Transceiver
    • RFID
  • Software errors due to poor programming
    insecure interaction between component's
    Risky Resource management
    Porous defenses
  • Insecure Interaction Between Components
    SQL Injection
    OS Command Injection
    Cross-site Scripting
    Unrestricted Upload of File with Dangerous Type
    Open Redirect
  • Risky Resource Management

    Classic Buffer Overflow
    Path Traversal
    Integrity Check
  • Porous Defenses
    Missing Authentication/Authorization
    Use of Hard Coded Credentials
    Missing Encryption
    Unnecessary privileges
  • Web Application Security Flaws
    Unvalidated Input
    Cross-site Scripting
    Buffer Overflow
    Injection Flaws
    Improper Error Handling
  • Defensive programming
    An approach to programming that attempts to identify possible threats and proactively create code to avoid them; also called secure programming.
  • Software Development Life Cycle
    Spells out what steps take place in the process of developing software and the order in which they take place. There are several models of the life cycle.
    1. Project initiation and planning
    2. Functional requirements and definition
    3. System design specification
    4. Build (develop) and document
    5. Acceptance testing
    6. Implementation (transition to production)
    7. Operations and maintenance
    8. Disposal
  • Waterfall Development Model
    a step-by-step process where each step flows into another
    Requirement Analysis
    System Design
    Implementation
    Testing
    Deployment
    Maintenance
  • Agile Development Model
    Incremental developments (with a series of tiny projects) by iterative processes and continuous communications with users. Uses Sprints that are 1-4 weeks
  • Cross-Site Scripting (XSS)

    An attack that injects scripts into a Web application server to direct attacks at clients.
  • SQL Injection
    Bypass authentication
    Information disclosure
    compromised availability of data
  • SQL Injection Countermeasures
    Secure Software Development
    Input validation and sanitization
  • Canonicalization
    Is a process for converting data that has more than one possible representation into a "standard", "normal", or simplest form.
  • Validating Numeric Input
    Floating point numbers depend on the processor used
  • Input Fuzzing
    Software testing technique that uses randomly generated data as inputs to a program
    Combination of approaches is needed for reasonably comprehensive coverageof the inputs
  • Race conditions(Time of check/time of use)

    An undesirable situation that occurs when a device or system attempts to perform two or more operations at the same time
  • Preventing Race Conditions
    Lockfile: Process must create and own the lockfile in order to gain access to the shared resource
  • environmental variables
    Collection of string values inherited by each process from its parent
    • Can affect the way a running process behaves
    • Included in memory when it is constructed
    • Can be modified by the program process at any time
    • Modifications will be passed to its children
    • Another source of untrusted program input
    • Most common use is by a local user attempting to gain increased privileges
    • Goal is to subvert a program that grants superuser or administrator privileges
  • Operating System Securities
    White-list approved applications
    Patch third-party applications and operating system vulnerabilities
    Restrict administrative privileges
    Create a defense-in-depth system
  • Layered Defense or Onion Model
    anti-virus
    host firewall
    host intrusion detection
    OS hardening
  • Operating Security Process
    Assess risks and plan the system deployment
    • Secure the underlying operating system and then the key applications
    • Ensure any critical content is secured
    • Ensure appropriate network protection mechanisms are used
    • Ensure appropriate processes are used to maintain security
  • Operating Security Hardening
    Install and patch the operating system
    • Harden and configure the operating system to adequately address the identified security needs of the system by:
    ▪ Removing unnecessary services, applications, and protocols
    ▪ Configuring users, groups, and permissions
    ▪ Configuring resource controls
    • Install and configure additional security controls, such as anti-virus, host-based firewalls, and intrusion detection system (IDS)
    • Test the security of the basic operating system to ensure that the steps taken adequately address its security needs
  • System Planning Process
    Categories of users on the system
    Privileges they have
    • Types of information they can access
    • How and where they are defined and authenticated
  • Additional Security Tools
    Anti-virus software
    • Host-based firewalls
    IDS or IPS software
    Application white-listing
  • Application Configuration
    Creating and specifying appropriate data storage areas for application
    • Making appropriate changes to the application or service default configuration details
  • Security Maintenance
    Monitoring and analyzing logging information
    • Performing regular backups
    • Recovering from security compromises
    Regularly testing system security
    • Using appropriate software maintenance processes to patch and update all critical software, and to monitor and revise configuration as needed
  • Linux/Unix Security
    Change Permissions in critical directories and files
    use firewalls
    use a chroot jail
  • User Account Control (UAC)
    Provided in Vista and later systems
    • Assists with ensuring users with administrative rights only use them when required, otherwise accesses the system as a normal user
  • Hypervisor
    is the resource broker
    It allows multiple VMs to safely coexist on a single physical server host and share that host's resources
    is between the VM and the hardware
  • Hypervisor Functions
    Execution management of VMs
    • Devices emulation and access control
    • Execution of privileged operations by hypervisor for guest VMs
    • Management of VMs (also called VM lifecycle management)
    • Administration of hypervisor platform and hypervisorsoftware
  • two architectures
    hosted: uses and existing operating system
    bare-metal: installed directly on the hardware
  • Types of Virtualization
    full virtualization: all operating system requests are translated by the hypervisor and passed to the physical hardware
    Isolates the virtual machine from the physical hardware
    Most Secure
    Paravirtualization: Guest OS handles instructions that can be virtualized and replaces non-virtualizable instructions
    Fast performance, does not work on all hardware with all OS's
    Hardware Assisted: Hypervisor takes all non-virtualizable instructions and issues them to the hardware in root mode.
    • Good compatibility, poorer performance
    • Significant hit to security