Software Security Lecture Week 1

Need for Security

• Security is essential to protect systems, data, and resources against unauthorized access, disclosure, alteration, or destruction.

Security Goals

• CIA Triad: Fundamental model ensuring protection, trustworthiness, and availability of systems and data.
  • Confidentiality: Non-disclosure of information.
  • Integrity: Assurance that data remains unchanged.
  • Availability: Ensures timely access for authorized users.

Security Breaches

Case Study 1: Equifax Data Breach (2017)

• Cause: Vulnerability in Apache Struts used by Equifax.
• Impact: Personal information of ~147 million individuals compromised (e.g., names, Social Security numbers).
• Consequences: Financial and reputational damage, lawsuits, identity theft concerns.

Case Study 2: SolarWinds Supply Chain Attack (2020)

• Impact: Unauthorized access through compromised software updates.
• Response: Urgent patching by organizations; raised supply chain security concerns.

Case Study 3: Facebook Data Leak (2019)

• Cause: Exploitation of the "View As" feature.
• Impact: Data of 530 million users exposed.
• Consequences: Increased scrutiny over data practices and regulatory oversight.

Case Study 4: Change Healthcare Ransomware Attack (2024)

• Attack Type: Ransomware on EDI systems.
• Impact: Affected 145 million individuals, disrupting healthcare operations.
• Consequences: Raised cybersecurity concerns; highlighted the need for stronger data protection.

Types of Security Attacks

1. Passive Attacks:
   • Eavesdropping without affecting system resources.
   • Types:
     • Release of Message Contents (e.g., phone calls).
     • Traffic Analysis (monitoring patterns without deciphering).
2. Active Attacks:
   • Attacks that alter resources or operations.
   • Types:
     • Masquerade (pretending to be another entity).
     • Replay (resending captured data).
     • Modification (altering message contents).
     • Denial of Service (disrupting availability).

Security Services

• Authentication: Validating identities (e.g., client-server authentication).
• Access Control: Limiting system access to authenticated entities.
• Data Confidentiality: Protecting data from unauthorized access.
• Data Integrity: Ensuring data is as intended, without modifications.
• Non-repudiation: Providing proof of participation in communications.

Security Mechanisms

• Encipherment: Using algorithms to transform data to a non-readable form.
• Access Control: Enforcing rights to resource access.
• Data Integrity: Ensuring correctness of data.
• Traffic Padding: Inserting data to obscure actual traffic volume.
• Notarization: Involvement of a trusted third party for data assurance.

Key Terminologies

• Asset: Valuable resources (data, hardware, software) that need protection.
• Threat: Potential danger to an asset (e.g., malware, unauthorized access).
• Vulnerability: Weakness in a system that can be exploited.
• Risk: Likelihood of a threat exploiting a vulnerability.
• Attack: Intentional act to compromise security (e.g., phishing, DoS).
• Mitigation: Processes to reduce impact of threats (e.g., antivirus software, firewalls).

Recommended Resources

• Stallings, W. (2006). Cryptography and network security, 4/E. Pearson Education India.
• Helfrich, J. N. (2018). Security for Software Engineers. CRC Press.