Software Security Chapter 1

Information Security threats can be many like Software attacks, theft of

intellectual property, identity theft, theft of equipment or information,
sabotage, and information extortion.
Threat can be anything that can take advantage of a vulnerability to breach
security and negatively alter, erase, harm object or objects of interest.
Software attacks means attack by Viruses, Worms, Trojan Horses etc. Many
users believe that malware, virus, worms, bots are all same things. But they are
not same, only similarity is that they all are malicious software that behaves
differently.

Malware is a combination of 2 terms- Malicious and Software. So Malware

basically means malicious software that can be an intrusive program code or
anything that is designed to perform malicious operations on system. Malware
can be divided in 2 categories:

1. Infection Methods
2. Malware Actions
Malware on the basis of Infection Method are following:

1. Virus – They have the ability to replicate themselves by hooking them

to the program on the host computer like songs, videos etc and then
they travel all over the Internet. The Creeper Virus was first detected
on ARPANET. Examples include File Virus, Macro Virus, Boot Sector
Virus, Stealth Virus etc.
2. Worms – Worms are also self-replicating in nature but they don’t
hook themselves to the program on host computer. Biggest difference
between virus and worms is that worms are network-aware. They can
easily travel from one computer to another if network is available and
on the target machine they will not do much harm, they will, for
example, consume hard disk space thus slowing down the computer.
3. Trojan – The Concept of Trojan is completely different from the
viruses and worms. The name Trojan is derived from the ‘Trojan
Horse’ tale in Greek mythology, which explains how the Greeks were
able to enter the fortified city of Troy by hiding their soldiers in a big
wooden horse given to the Trojans as a gift. The Trojans were very
fond of horses and trusted the gift blindly. In the night, the soldiers
emerged and attacked the city from the inside.
Their purpose is to conceal themselves inside the software that seem
legitimate and when that software is executed they will do their task of
 either stealing information or any other purpose for which they are
designed.
They often provide backdoor gateway for malicious programs or
malevolent users to enter your system and steal your valuable data
without your knowledge and permission. Examples include FTP
Trojans, Proxy Trojans, Remote Access Trojans etc.

4. Bots –: can be seen as advanced form of worms. They are automated

processes that are designed to interact over the internet without the
need for human interaction. They can be good or bad. Malicious bot
can infect one host and after infecting will create connection to the
central server which will provide commands to all infected hosts
attached to that network called Botnet.

Malware on the basis of Actions:

1. Adware – Adware is not exactly malicious but they do breach privacy

of the users. They display ads on a computer’s desktop or inside
individual programs. They come attached with free-to-use software,
thus main source of revenue for such developers. They monitor your
interests and display relevant ads. An attacker can embed malicious
code inside the software and adware can monitor your system
activities and can even compromise your machine.
2. Spyware – It is a program or we can say software that monitors your
activities on computer and reveal collected information to an
interested party. Spyware are generally dropped by Trojans, viruses or
worms. Once dropped they install themselves and sits silently to avoid
detection.
One of the most common example of spyware is KEYLOGGER. The
basic job of keylogger is to record user keystrokes with timestamp.
Thus capturing interesting information like username, passwords,
credit card details etc.
3. Ransomware – It is type of malware that will either encrypt your
files or will lock your computer making it inaccessible either partially
or wholly. Then a screen will be displayed asking for money i.e.
ransom in exchange.
4. Scareware – It masquerades as a tool to help fix your system but
when the software is executed it will infect your system or completely
destroy it. The software will display a message to frighten you and
force to take some action like pay them to fix your system.
5. Rootkits – are designed to gain root access or we can say
administrative privileges in the user system. Once gained the root
 access, the exploiter can do anything from stealing private files to
private data.
6. Zombies – They work similar to Spyware. Infection mechanism is
same but they don’t spy and steal information rather they wait for the
command from hackers.

• Theft of intellectual property means violation of intellectual

property rights like copyrights, patents etc.
• Identity theft means to act someone else to obtain person’s personal
information or to access vital information they have like accessing the
computer or social media account of a person by login into the account
by using their login credentials.
• Theft of equipment and information is increasing these days due
to the mobile nature of devices and increasing information capacity.
• Sabotage means destroying company’s website to cause loss of
confidence on part of its customer.
• Information extortion means theft of company’s property or
information to receive payment in exchange. For example ransomware
may lock victims file making them inaccessible thus forcing victim to
make payment in exchange. Only after payment victim’s files will be
unlocked.
These are the old generation attacks that continue these days also with
advancement every year. Apart from these there are many other threats. Below
is the brief description of these new generation threats.

• Technology with weak security – With the advancement in

technology, with every passing day a new gadget is being released in
the market. But very few are fully secured and follows Information
Security principles. Since the market is very competitive Security
factor is compromised to make device more up to date. This leads to
theft of data/ information from the devices
• Social media attacks – In this cyber criminals identify and infect a
cluster of websites that persons of a particular organization visit, to
steal information.
• Mobile Malware –There is a saying when there is a connectivity to
Internet there will be danger to Security. Same goes for Mobile phones
where gaming applications are designed to lure customer to download
the game and unintentionally they will install malware or virus on the
device.
• Outdated Security Software – With new threats emerging
everyday, updation in security software is a prerequisite to have a fully
secured environment.
 • Corporate data on personal devices – These days every
organization follows a rule BYOD. BYOD means Bring your own device
like Laptops, Tablets to the workplace. Clearly BYOD pose a serious
threat to security of data but due to productivity issues organizations
are arguing to adopt this.
• Social Engineering – is the art of manipulating people so that they
give up their confidential information like bank account details,
password etc. These criminals can trick you into giving your private
and confidential information or they will gain your trust to get access
to your computer to install a malicious software- that will give them
control of your computer. For example email or message from your
friend, that was probably not sent by your friend. Criminal can access
your friends device and then by accessing the contact list, he can send
infected email and message to all contacts. Since the message/ email is
from a known person recipient will definitely check the link or
attachment in the message, thus unintentionally infecting the
computer.

Active and Passive attacks in

Information Security
Active attacks: An Active attack attempts to alter system resources or affect their
operations. Active attacks involve some modification of the data stream or the
creation of false statements. Types of active attacks are as follows:
• Masquerade
• Modification of messages
• Repudiation
• Replay
• Denial of Service
Masquerade –
A masquerade attack takes place when one entity pretends to be a different entity.
A Masquerade attack involves one of the other forms of active attacks. If an
authorization procedure isn’t always absolutely protected, it is able to grow to be
extraordinarily liable to a masquerade assault. Masquerade assaults may be
performed using the stolen passwords and logins, with the aid of using finding gaps
in programs, or with the aid of using locating a manner across the authentication
process.
 Masquerade Attack

Modification of messages –
It means that some portion of a message is altered or that message is delayed or
reordered to produce an unauthorized effect. Modification is an attack on the
integrity of the original data. It basically means that unauthorized parties not only
gain access to data but also spoof the data by triggering denial-of-service attacks,
such as altering transmitted data packets or flooding the network with fake data.
Manufacturing is an attack on authentication. For example, a message meaning
“Allow JOHN to read confidential file X” is modified as “Allow Smith to read
confidential file X”.

Modification of messages

Repudiation –
This attack occurs when the network is not completely secured or the login control
has been tampered with. With this attack, the author’s information can be changed
by actions of a malicious user in order to save false data in log files, up to the
general manipulation of data on behalf of others, similar to the spoofing of e-mail
messages.
Replay –
It involves the passive capture of a message and its subsequent transmission to
produce an authorized effect. In this attack, the basic aim of the attacker is to save
a copy of the data originally present on that particular network and later on use
this data for personal uses. Once the data is corrupted or leaked it is insecure and
unsafe for the users.

Replay

Denial of Service –
It prevents the normal use of communication facilities. This attack may have a
specific target. For example, an entity may suppress all messages directed to a
particular destination. Another form of service denial is the disruption of an entire
network either by disabling the network or by overloading it with messages so as
to degrade performance.

Denial of Service
Passive attacks: A Passive attack attempts to learn or make use of information
from the system but does not affect system resources. Passive Attacks are in the
nature of eavesdropping on or monitoring transmission. The goal of the opponent
is to obtain information that is being transmitted. Types of Passive attacks are as
follows:
• The release of message content
• Traffic analysis
The release of message content –
Telephonic conversation, an electronic mail message, or a transferred file may
contain sensitive or confidential information. We would like to prevent an
opponent from learning the contents of these transmissions.

Passive attack

Traffic analysis –
Suppose that we had a way of masking (encryption) information, so that the
attacker even if captured the message could not extract any information from the
message.
The opponent could determine the location and identity of communicating host
and could observe the frequency and length of messages being exchanged. This
information might be useful in guessing the nature of the communication that was
taking place.
The most useful protection against traffic analysis is encryption of SIP traffic. To
do this, an attacker would have to access the SIP proxy (or its call log) to determine
who made the call.
Computer Security and its Challenges
There are three main objectives of computer security, which are also referred
has CIA triads.
1. Confidentiality
2. Integrity
3. Availability

1. Confidentiality :
• Data confidentiality –
It is a property which ensures that any private information that can be
harmful if it is disclosed to any unauthorized person should only be
disclosed to a legit authorization so that no one can take advantage of
someone’s personal information.
• Privacy –
It is the property of the digital world that ensures that one can have the
right that any information which is related to them should be stored by
whomsoever they want and no other person should look through their
information of share their without their consent. If information is
shared without consent it is a breach of privacy which is a punishable
offence.
2. Integrity :
• Data integrity –
It ensures that the system and information is changed in the way that
user want and it is not breached by any third party with an intent to
harm.
• System integrity –
This ensures that the system should work in the manner as it is
designed to perform and its performance is not manipulated by anyone
 else, that is any third party which manipulated the system to work
according to their wishes rather than the users.
3. Availability :
This ensures that system should work fine and should denied access to an
authorized user.
Computer Security Challenges :
1. Security is not simple it requires a lot of research and money
2. Potential attacks on the security features need to be considered.
3. Procedures used to provide particular services are often counter-
intuitive.
4. It is necessary to decide where to use the various security mechanisms.
5. Requires constant monitoring.
6. Security mechanisms typically involve more than a particular algorithm
or protocol.
7. Security is essentially a battle of wits between a perpetrator and the
designer.
8. Little benefit from security investment is perceived until a security
failure occurs.
9. Strong security is often viewed as an impediment to efficient and user-
friendly operation.

Types of Security Mechanism

security mechanism can also be termed as is set of processes that deal with
recovery from security attack. Various mechanisms are designed to recover from
these specific attacks at various protocol layers.
Types of Security Mechanism are :
1. Encipherment :
This security mechanism deals with hiding and covering of data which
helps data to become confidential. It is achieved by applying
mathematical calculations or algorithms which reconstruct
information into not readable form. It is achieved by two famous
techniques named Cryptography and Encipherment. Level of data
encryption is dependent on the algorithm used for encipherment.
2. Access Control :
This mechanism is used to stop unattended access to data which you
are sending. It can be achieved by various techniques such as applying
passwords, using firewall, or just by adding PIN to data.
3. Notarization :
This security mechanism involves use of trusted third party in
communication. It acts as mediator between sender and receiver so
that if any chance of conflict is reduced. This mediator keeps record of
requests made by sender to receiver for later denied.
4. Data Integrity :
This security mechanism is used by appending value to data to which
is created by data itself. It is similar to sending packet of information
known to both sending and receiving parties and checked before and
after data is received. When this packet or data which is appended is
checked and is the same while sending and receiving data integrity is
maintained.
5. Authentication exchange :
This security mechanism deals with identity to be known in
communication. This is achieved at the TCP/IP layer where two-way
handshaking mechanism is used to ensure data is sent or not
6. Bit stuffing :
This security mechanism is used to add some extra bits into data which
is being transmitted. It helps data to be checked at the receiving end
and is achieved by Even parity or Odd Parity.
7. Digital Signature :
This security mechanism is achieved by adding digital data that is not
visible to eyes. It is form of electronic signature which is added by
sender which is checked by receiver electronically. This mechanism is
used to preserve data which is not more confidential but sender’s
identity is to be notified.
Network Security Model

A Network Security Model exhibits how the security service has been designed over
the network to prevent the opponent from causing a threat to the confidentiality or
authenticity of the information that is being transmitted through the network.

In this section, we will be discussing the general ‘network security model’ where we
will study how messages are shared between the sender and receiver securely over the
network. And we will also discuss the ‘network access security model’ which is
designed to secure your system from unwanted access through the network

For a message to be sent or receive there must be a sender and a receiver. Both the
sender and receiver must also be mutually agreeing to the sharing of the message. Now,
the transmission of a message from sender to receiver needs a medium
i.e. Information channel which is an Internet service.

A logical route is defined through the network (Internet), from sender to the receiver
and using the communication protocols both the sender and the receiver
established communication.

Well, we are concerned about the security of the message over the network when the
message has some confidential or authentic information which has a threat from an
opponent present at the information channel. Any security service would have the three
components discussed below:

1. Transformation of the information which has to be sent to the receiver. So, that
any opponent present at the information channel is unable to read the message. This
indicates the encryption of the message.

It also includes the addition of code during the transformation of the information which
will be used in verifying the identity of the authentic receiver.

2. Sharing of the secret information between sender and receiver of which the
opponent must not any clue. Yes, we are talking of the encryption key which is used
during the encryption of the message at the sender’s end and also during the decryption
of message at receiver’s end.

3. There must be a trusted third party which should take the responsibility
of distributing the secret information (key) to both the communicating parties and
also prevent it from any opponent.

Now we will study a general network security model with the help of the figure given
below:
The network security model presents the two communicating
parties sender and receiver who mutually agrees to exchange the information. The
sender has information to share with the receiver.

But sender cannot send the message on the information cannel in the readable form as it
will have a threat of being attacked by the opponent. So, before sending the message
through the information channel, it should be transformed into an unreadable format.

Secret information is used while transforming the message which will also be
required when the message will be retransformed at the recipient side. That’s why a
trusted third party is required which would take the responsibility of distributing this
secret information to both the parties involved in communication.

So, considering this general model of network security, one must consider the following
four tasks while designing the security model.

1. To transform a readable message at the sender side into an unreadable format, an

appropriate algorithm should be designed such that it should be difficult for an
opponent to crack that security algorithm.

2. Next, the network security model designer is concerned about the generation of
the secret information which is known as a key.
This secret information is used in conjunction with the security algorithm in order to
transform the message.

3. Now, the secret information is required at both the ends, sender’s end and receiver’s
end. At sender’s end, it is used to encrypt or transform the message into unreadable
form and at the receiver’s end, it is used to decrypt or retransform the message into
readable form.
So, there must be a trusted third party which will distribute the secret information to
both sender and receiver. While designing the network security model designer must
also concentrate on developing the methods to distribute the key to the sender and
receiver.
An appropriate methodology must be used to deliver the secret information to the
communicating parties without the interference of the opponent.

It is also taken care that the communication protocols that are used by the
communicating parties should be supporting the security algorithm and the secret key
in order to achieve the security service.

Till now we have discussed the security of the information or message over the
network. Now, we will discuss the network access security model which is designed
to secure the information system which can be accessed by the attacker through the
network.

You are well aware of the attackers who attack your system that is accessible through the
internet. These attackers fall into two categories:

1. Hacker: The one who is only interested in penetrating into your system. They do not
cause any harm to your system they only get satisfied by getting access to your system.

2. Intruders: These attackers intend to do damage to your system or try to obtain the
information from the system which can be used to attain financial gain.

The attacker can place a logical program on your system through the network which can
affect the software on your system. This leads to two kinds of risks:

a. Information threat: This kind of threats modifies data on the user’s behalf to
which actually user should not access. Like enabling some crucial permission in the
system.

b. Service threat: This kind of threat disables the user from accessing data on the
system.

Well, these kinds of threats can be introduced by launching worms and viruses and may
more like this on your system. Attack with worms and viruses are the software attack
that can be introduced to your system through the internet.

The network security model to secure your system is shown in the figure below:
There are two ways to secure your system from attacker of which the first is to introduce
the gatekeeper function. Introducing gatekeeper function means introducing login-
id and passwords which would keep away the unwanted access.

In case the unwanted user gets access to the system the second way to secure your
system is introducing internal control which would detect the unwanted user trying
to access the system by analyzing system activities. This second method we call
as antivirus which we install on our system to prevent the unwanted user from
accessing your computer system through the internet.

So, this is all about the network security model. We have discussed two network security
model. One, securing your information over the network during information
transmission. Second, securing your information system which can be accessed by the
hacker through the network or internet.

What is Software Security?

Software security is the umbrella term used to describe software that is engineered

such that it continues to function correctly under malicious attack. Software security

describes methodologies, frameworks, processes, and strategies that enhance security

and reduce vulnerabilities within software and the environment in which it runs.

Approaches to software security are frequently structured around potential malicious

cyber attacks. Software security also attempts to identify, protect against, and create

solutions for vulnerabilities that are not the result of malicious attacks but are
nonetheless harmful.
Software security looks to increase the integrity of software by testing and fortifying

software at the various stages and environments it moves through during the software

development lifecycle (SDLC) and following its release.

What is difference between application security and software security?

Software security involves a holistic approach in an organization to improve its

information security posture, safeguard assets, and enforce privacy of non-public

information; whereas application security is only one domain within the whole process.

Software security activities include:

• Secure software design

• User authentication

• User session management

• Secure coding that follows established guidelines

• Validation of third-party components

Application security activities include:

• IP filtering

• Post deployment security tests

• Monitoring of programs at runtime to enforce the software use policy

• Malicious code detection

• Capture of flaws in software environment configuration