Software Security Lecture Week 1

Need for Security

  • Security is essential to protect systems, data, and resources against unauthorized access, disclosure, alteration, or destruction.

Security Goals

  • CIA Triad: Fundamental model ensuring protection, trustworthiness, and availability of systems and data.
    • Confidentiality: Non-disclosure of information.
    • Integrity: Assurance that data remains unchanged.
    • Availability: Ensures timely access for authorized users.

Security Breaches

Case Study 1: Equifax Data Breach (2017)
  • Cause: Vulnerability in Apache Struts used by Equifax.
  • Impact: Personal information of ~147 million individuals compromised (e.g., names, Social Security numbers).
  • Consequences: Financial and reputational damage, lawsuits, identity theft concerns.
Case Study 2: SolarWinds Supply Chain Attack (2020)
  • Impact: Unauthorized access through compromised software updates.
  • Response: Urgent patching by organizations; raised supply chain security concerns.
Case Study 3: Facebook Data Leak (2019)
  • Cause: Exploitation of the "View As" feature.
  • Impact: Data of 530 million users exposed.
  • Consequences: Increased scrutiny over data practices and regulatory oversight.
Case Study 4: Change Healthcare Ransomware Attack (2024)
  • Attack Type: Ransomware on EDI systems.
  • Impact: Affected 145 million individuals, disrupting healthcare operations.
  • Consequences: Raised cybersecurity concerns; highlighted the need for stronger data protection.

Types of Security Attacks

  1. Passive Attacks:
    • Eavesdropping without affecting system resources.
    • Types:
      • Release of Message Contents (e.g., phone calls).
      • Traffic Analysis (monitoring patterns without deciphering).
  2. Active Attacks:
    • Attacks that alter resources or operations.
    • Types:
      • Masquerade (pretending to be another entity).
      • Replay (resending captured data).
      • Modification (altering message contents).
      • Denial of Service (disrupting availability).

Security Services

  • Authentication: Validating identities (e.g., client-server authentication).
  • Access Control: Limiting system access to authenticated entities.
  • Data Confidentiality: Protecting data from unauthorized access.
  • Data Integrity: Ensuring data is as intended, without modifications.
  • Non-repudiation: Providing proof of participation in communications.

Security Mechanisms

  • Encipherment: Using algorithms to transform data to a non-readable form.
  • Access Control: Enforcing rights to resource access.
  • Data Integrity: Ensuring correctness of data.
  • Traffic Padding: Inserting data to obscure actual traffic volume.
  • Notarization: Involvement of a trusted third party for data assurance.

Key Terminologies

  • Asset: Valuable resources (data, hardware, software) that need protection.
  • Threat: Potential danger to an asset (e.g., malware, unauthorized access).
  • Vulnerability: Weakness in a system that can be exploited.
  • Risk: Likelihood of a threat exploiting a vulnerability.
  • Attack: Intentional act to compromise security (e.g., phishing, DoS).
  • Mitigation: Processes to reduce impact of threats (e.g., antivirus software, firewalls).

Recommended Resources

  • Stallings, W. (2006). Cryptography and network security, 4/E. Pearson Education India.
  • Helfrich, J. N. (2018). Security for Software Engineers. CRC Press.