BYU-I: Computer Security
This article can be used to get an idea of what would be taught in computer security course at BYU-I. It could be used as a review of that courses material or to get a basic understanding of software security.
This course gives you an introduction to terms used in cyber security. I found it helpful to also take codepaths free cybersecurity course to allow me to apply that knowledge as I was taking the class more.
Classification of attacks
When securing computer information attacks are classified using many models such as CIA below.
Confidentiality — Disclosing private information.
Integrity — Altering the data.
Availability — Denying access to the data.
There are many other ways to classify attacks. This class also goes over STRIDE and DREAD. An attack may fall into many categories even within the same model depending on how you word it or what aspect of the attack you are considering.
Explore more on classifications here.
Software layers
The process of information traveling through a network is often explained and analyzed using OSI or TCP/IP (Transmission Control Protocol/Internet Protocol) model. You use this protocol when you type an address in the URL bar creating a channel that serves the webpage. The OSI model does not reflect modern network structure as well so TCP/IP was made. TCP/IP has 4 layers.
Application — Generates data and requests connections.
Transport — Responsible for end-to-end communication.
Internet — A set of protocols that tell packets of data how to get from one place to the designated IP address.
Network access — Data link and physical layers in OSI model. The network and physical means of network hops to reach a destination.
Software Weapons
Attack is the act of an attacker compromising a system to get an item of value.
Malware can get on your computer through SPAM email, usb, poor security, torrents, free/illegal downloads or websites so avoid making assumptions about websites you do not commonly visit. There are tools to assist with this such as urlvoid and best practices to be followed.
You can identify and remove malware by using security software. You can also recognize if they are already on your computer by some hints like slowing down, crashing, not letting you remove software, excessive ads, and other unexpected actions taken by your device.
Attacks requiring human intervention
Rabbit — Consumes resources to prevent user access
Bomb — Removes data when triggered by some event
Adware — Display unwanted ads when user is online
Trojan — Deceives you into letting it control your computer
Ransomware — Encrypts files rendering them unusable requiring a fee to regain access.
Virus — Slows down a system or network.
SPAM — Email with a link allowing malware to be inserted on the computer.
Botware — Seeks to control a set of computers for use in a DDOS attack.
SEO — Decreases a sites searchability.
Attacks not requiring human intervention
Backdoor — Allows entry through an unexpected passage.
Rootkit — Tools allowing undetected access to a system.
Spyware — Hides on your device to steal information.
How does Malware Work and in What ways it Infects? (malwarefox.com)
How To Recognize, Remove, and Avoid Malware | Consumer Advice (ftc.gov)
How to know if a website is safe: 10 safety tips | Norton
Threat Mitigation
Prevention — Fix the vulnerability or make it harder to exploit.
Preemption — Attack the attacker.
Deterrence — Convince the attacker that it is not worth the effort.
Deflection — Divert the attacker away from the assets.
Detection — Sound an alarm to scare attackers away.
Countermeasures — Strengthen defenses in response to an attack.
Social Engineering Attacks
Social engineering is the methods to ‘hack’ a person instead of a computer to get the same information.
Attack vectors
Commitment — Preying on peoples desire to follow through with promises.
Authority — Feigning higher authority than they actually posess.
Reciprocity — Giving something and requiring something of greater worth in return.
Reverse engineering — Creating a problem, offering to solve it, and acting in higher authority in that position.
Likening — Pretending to be similar to the victim to gain trust.
Scarcity — Scaring the victim into doing something due to lack of availability in the future.
Defense methods
Training — Train your team how to recognize and handle social engineering attempts.
Reaction — Taking time to evaluate possible social engineering situations before offering access to private data.
Inoculation — Implementing a social engineering situation to check your teams reaction.
Physical — Placing barriers such as key code doors or security guards.
Policy — Creating rules to decrease risk of becoming a victim of social engineering your team must abide by to not face consequences.
Homograph Attacks
Homographs are a social engineering method using similar or special characters imitating real websites to escape filters and trick users into using them. To identify and prevent homograph attacks canonize the text into a common set of characters and test to see if they are actually the same. The browser will give you some hints if a site is likely trying to deceive you such as by placing the link in the bottom left before you click on and blacklisting certain confusing characters.
Command and Script Injection Attacks
Script injection is a type of attack that uses script to alter data. Subtypes include sql injection, command injection, FTP injection, LDAP injection, and shell injection. SQL injection manipulates the database in unintended ways using SQL query language commands in an input field. The text input could include a comment to remove conditionals, tautology (1=1) to ensure it is accepted, union query to get access to other data, and/or additional SQL statements to get more information.
Developer Best Practices
Never trust users — Most users are not out to get you but a few are and it is difficult to tell who is.
Least privilege — Every program and user should have access to as little as possible.
Simple is more secure — Complex code increases the likelihood of introducing security vulnerabilities.
Expect the unexpected — Developers should assume their system will be attacked and figure out how it will happend to prevent it ahead of time.
Security through obscurity — Do not provide any more information than is absolutely necessary.
Defense in depth — Create several layers of redundant defenses to make it more difficult to be breached.
Whitelisting over blacklisting — Disallow most values by default. Only allow values you know are acceptable.
Map data movement and exposure — Track data to increase your ability to be aware of being breached.
For specifics relative to react or node see these articles I put together.
Threat modeling
Knowing the threats and how to they happen is useful. If you dont know what kinds threats your resource are most relevant and important this knowledge is of much less value. Threat modeling focuses on planning which issues should be prioritized since a system can never be completely impervious to attacks.
Authentication
There are 3 types of authentication keys. “Have” is when you must have physical possession of an item. “Know” is a unique knowledge of information. “Are” is biological information.
A good password is easy to remember and random enough that it is hard to guess.
See this article on choosing passwords.
The general idea of password authentication is simple to impliment. Create an input field and compare the entered value with the expected value. Storing passwords securely is trickier. Passwords should always be encrypted. Authentication tools include Auth0, firebase, and many others.
Access Control
Access control is how you determine if a user should be able to access and change data.
Bell la-Padula — Users can read data at lower access levels but cannot write to a document on lower levels. They cannot read data at higher access levels but they can write to a document.
Biba — Users can’t read data at lower access levels but can write to a document on lower levels. They can read data at higher access levels but they cannot write to a document.