3.5 Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements

  • Client-based systems
  • Server-based systems
  • Database systems
  • Cryptographic systems
  • Industrial Control Systems (ICS)
  • Cloud-based systems (Software as a Service (SaaS), Infrastructure as a Service (IaaS), Platform as a Service (PaaS))
  • Distributed systems
  • Internet of Things (IoT)
  • Microservices
  • Containerization
  • Serverless
  • Embedded systems
  • High-Performance Computing
  • Edge computing systems
  • Virtualized systems

How can we mitigate risks in computer hardware design?  It is assumed that the reader has some understanding of basic computer hardware, but we will go over some details here.

Computer Architecture

  • The Processor – the processor does very simple calculations very quickly.  It is up to the operating system to tell it how.  Some features that a computer processor might have

    • Multitasking – the processor can handle multiple tasks at the same time.  A processor does not compute multiple tasks at the same time by itself – the operating system assists by alternating the commands it gives the processor.

    • Multicore – the processor has multiple cores each of which can handle execution of tasks independently.

    • Multiprocessing – multiple processors work together to complete a task.  There are two ways that processors can do this.

      • Symmetric Multiprocessing – processors share an operating system and memory.  They take commands from the same operating system and store their data in the same memory.

      • Massively Parallel Processing – thousands of processors.  Each processor has its own operating system and memory but special software coordinates between them.  The operating system breaks a procedure into multiple tasks and each task is assigned to a different processor.

    • Multiprogramming – a single processor handles two or more tasks at the same time.  A processor handles task one, and then switches to task two, and then task three, etc..  Then it cycles back to the first task. 

      Sometimes, the processor wants to finish processing a task but is waiting for an application to respond.  This is more efficient because the processor can work on other tasks while waiting for applications to respond.

      Multiprogramming requires special software and is not used anymore.  It has been replaced by multiprocessing.

    • Multithreading – multiple tasks can take place at the same time.  We can separate tasks (processes) into threads.  A processor handles multiple threads at the same time. 

      Most processors support this through hyperthreading.  The processor can switch from one thread to another with very little overhead. 

      An example is having multiple documents open in Microsoft Word – one Microsoft Word process is running but there are multiple threads inside of it – one thread per document.

    • We want to control how data is processed.  If we have multiple classifications of data being processed on the same processor, we want to make sure that no process can access the data of another process.

      • Single State – we use a policy that allows a processor to handle data from one security classification at a time.  We control access to the system, so we decide what classification is being processed.

      • Multistate – we use a policy to allow a processor to handle data from multiple security classifications.  We use software to prevent the processor from sharing data between classification levels.  We don’t use multistate systems unless the cost is justified, because they are expensive.  The system is cost-effective for supercomputers, where it is not possible to purchase a separate computer for each processing task.

    • Protection – how does the processor protect its data?

      • Protection Ring – we want to organize the operating system’s components into multiple rings.

      • The deeper rings have higher security

        • Ring 0 is the deepest.  Any application in Ring 0 can access any memory location or file.  This is where the operating system kernel stays.  The kernel can decide whether any other application can run.  The kernel remains in memory as long as the computer is powered on.

        • Ring 1 allows the other types of operating system components to enter and leave the memory as required.

        • Ring 2 allows privileged drivers and utilities to run.  They can access peripherals and other files.

        • Ring 3 allows user applications to run.

      • Tasks executed by lower numbered rings have priority over tasks executed by higher numbered rings.  If an application needs to access data that a lower level ring has access to, it must ask that ring for permission. 

        For example, an application (Ring 3) requiring access to a peripheral must request permission from an application in Ring 2 or Ring 1.  Ring 2 or Ring 1 communicates directly with the peripheral.  Ring 3 is not permitted to communicate directly with a peripheral – it must send its messages to Ring 2, and Ring 2 decides whether to pass them on.  This is called the mediate-access model.  It prevents malicious programs from taking direct control over the computer hardware.

      • Process States – method for how a process can run.  A process is a running application.  There are two modes

        • Supervisor State – all access mode.  The process is given access to everything.

        • Problem State – user mode.  The process is given access to limited resources.  It must request access to additional resources as required.

      • Process State Types – what are the different process statuses?

        • Ready – a process is ready to go as soon as it is scheduled.  The CPU will execute the process as soon as it becomes available.

        • Waiting – the process is ready to execute but does not have a resource (access to a peripheral or permission for example).

        • Running – the process executes until it is finished or receives an interrupt.  This is also called the problem state (like a math problem, not like a bad problem).

        • Supervisory – the process must perform an action that requires privileges that it does not have.  It must go into supervisory mode to complete the task.

        • Stopped – the process has completed or should be terminated.  The operating system can recover its resources.

      • When the processor is ready, it checks for any waiting processes and executes the process from the lowest ring.  The kernel program executive (also called the process scheduler) decides which process is next and gives it to the processor.

      • US Government Security Modes – The US Government set up several security modes that systems must use when processing classified information.  These systems must have

        • Mandatory Access Control environment – that means everybody accessing the system must be identified

        • Total physical control over subjects that can access the computer

        • Total physical control over the subjects that can enter the room where the computer is located

        • Dedicated Mode Systems – another name for a single-state system

          • Each user must have a security clearance to access information

          • Each user must have access approval to access the information

          • Each user must have a need to know for all the information on the system

        • System High Mode

          • Each user must have a security clearance to access information

          • Each user must have access approval to access the information

          • Each user must have need to know for some of the information on the system

        • Compartmented Mode

          • Each user must have a security clearance to access information

          • Each user must have access approval to access the information

          • Each user must have a need to know for all the information they will access

          • The system is compartmented, so the user only needs access to the information that they will have access to, even if they have no access to the other information on the system.  The user will only be granted access to specific compartments on the system.

          • Compartmented Mode Workstations (CMWs)

            • A special type of computer where the data is compartmented to comply with Compartmented Mode

            • All data must be labelled with Sensitivity Levels and Information Labels are required.  Sensitivity Levels tell us what security level to store the data at.  Information Labels give us additional information about the objects.

        • Multilevel Mode
          • Some people will not have the adequate security clearance for all the data that a system will process.  The question is, does the user have the clearance to access the specific objects they will access?

          • Does the user have access approval for the objects they will access?

          • Does the user have a need to know for the objects they will access?

          • When we have a dedicated system, the user must have a security clearance that permits access to all the data on the system.  When we have a multilevel system, the user only requires a security clearance that permits access to the data that he requires.

    • Operating Modes – a processor will have multiple operating modes

      • User mode – mode that the CPU uses when executing user applications.  It protects the data and the system.  We might use a Virtual Machine to keep the system secure.

      • Privileged mode – mode that provides full access to system resources.  Also known as Supervisory Mode, System Mode, or Kernel Mode.  Only the kernel should have access to this mode.

  • Memory

    • There are several types of memory

      • Read-Only Memory – memory that the PC can read and not change. 

        • The data in this memory is burned in at the factory

        • We might store bootstrap information that tells the computer where to look on the disk to load the operating system

        • This memory allows for a Hardware Root of Trust.  It is possible for a hacker to modify the operating system that is on the disk.  So then how can we trust it?  When the ROM loads the operating system, it verifies that it wasn’t tampered with.  It does so by computing the hash of the operating system or checking its digital signature.  The ROM contains the correct value of the hash or digital signature.  Since the ROM can’t be changed, we can always trust it.  If the ROM is trusted, and it trusts the operating system, then we can also trust the operating system.

      • Programmable Read-Only Memory

        • Like ROM but not burned in from the factory

        • We can program this type of memory once and only once

      • Erasable Programmable Read Only Memory

        • Like ROM, but we can rewrite the memory multiple times

        • We can only activate the rewrite mode under special circumstances such as with a UV light

        • Allows authorized people to rewrite the data when required, so that chips can be reused

      • Electronically Erasable Programmable Read-Only Memory (EPROM)

        • Like ROM, but we can rewrite the chip multiple times

        • We can rewrite the chip by sending it a specific command or electrical signal

      • Flash Memory

        • Memory that can be erased and rewritten

        • We can erase portions of the memory and rewrite them (unlike EPROM where we can only erase and rewrite the entire chip at once)

        • Stores data even when the device is powered off

      • Random Access Memory

        • Readable and writable memory

        • Only stores data when the computer is powered on

        • We only store temporary data in the RAM, but can access it quickly

    • Some concepts of computer memory

      • Real Memory

        • Real memory is the largest amount of RAM available to the computer – this is the quantity of all the physical RAM installed

      • Cache RAM

        • Very fast memory that the computer uses to store the data we access the most.  Cache RAM is even faster than normal RAM.

        • Cache RAM is usually part of the processor, and only the processor can access it directly, whereas normal RAM can be accessed by the operating system.

        • There may be several layers of cache, ranked by how frequently the data is accessed – we want the processor to have the fastest access to data that it uses the most.

        • We don’t make the entire set of memory out of cache memory because it is too expensive

      • Registers

        • The registers are memory blocks that the CPU uses to store data used in calculations

      • Memory Address

        • Each portion of the memory has a unique address

        • That way, we know where we put each piece of data, and we can ask the memory to give us the data at a specific address

        • There are several addressing schemes, and they vary from manufacturer to manufacturer

      • Secondary Memory

        • This is memory that is not available directly to the processor

        • The operating system can read data from secondary memory (like a hard drive) and give it to the CPU.  The CPU can talk directly to the RAM but can’t talk directly to the hard drive or to an external storage device.

        • Virtual Memory.  When we don’t have enough RAM, the Operating System stores unfrequently used portions of the RAM onto the hard disk drive in a file called the pagefile.  The pagefile allows us to pretend that we have more RAM than we do, but it can make the computer slow.

    • We want to protect the data in RAM

      • The RAM might still contain data after being powered off, but extracting it is very difficult.

      • It is possible to obtain the contents of memory through a cold boot attack.  Some computing devices can provide full memory encryption, but it is not common.  Virtual servers can provide full memory encryption, because the virtual machine file itself can be encrypted.

  • Data Storage Devices

    • Some characteristics of Data Storage Devices

      • Primary vs Secondary storage – RAM is a primary device whereas hard disk drives and SSDs are secondary devices.

      • Volatile vs Non-volatile – a volatile device is erased when it is powered off.  RAM is volatile while most hard disks and SSDs are non-volatile.

      • Random vs Sequential – can we read from anywhere in the memory or do we have to go sequentially through the data?  Sequential devices include magnetic tapes.  When we want to access data on a magnetic tape, we must scroll through it until we find the piece of data that we want.  Except for magnetic tapes, almost all other mediums are random.  We use sequential magnetic tapes for back up because they are inexpensive, and data on them is accessed infrequently.

    • Security of Data Storage Devices

      • Data Remanence – does the data stay after we erase it?  With respect to a hard disk drive, the data might stay after we delete a file because the operating system only deletes the reference to the file, and not the file itself.

      • An SSD uses wear leveling – it might keep the data even after it has been deleted.  That is, it’s impossible to understand the inner workings of the SSD.

      • Full disk encryption – including hardware-based encryption – is a good idea. 

  • Input/Output Devices

    • Monitors

      • A monitor displays a video feed from a computer.

      • The TEMPEST program allows the government to detect the radiation emitted from you monitor and understand what is on your screen, even from far away.  If the government can do it, then other people can do it too.

      • Shoulder surfing is also dangerous.  That is when somebody is looking over your shoulder.  You can install a privacy filter so that people standing near you can’t see what is on your screen.

    • Printers

      • Printers pose a security risk because users will print documents and forget to pick them up.

      • Printers also insecurely store copies of documents that were printed or scanned.  Others can access the printers and view the documents.  Other users can access the printer interface via the network.

      • We must secure our printers so that others cannot hack into them.

      • There are probably thousands of ways to hack printers.

    • Keyboards/Mice

      • The TEMPEST program can also spy on signals from wireless keyboards and mice.  A person running TEMPEST can intercept the key presses travelling between a wireless keyboard and the receiver.
      • Keyboards can also be bugged through interception cables without the user knowing

    • Modems

      • A modem allows a foreign user to access a system remotely.

      • Modems are no longer useful for direct connections to computer systems, but still in use in many networks.

  • BIOS

    • The BIOS (Basic Input Output System) is a chip that tells the computer how to operate.

    • UEFI (Unified Extensible Firmware Interface) is a more advanced form of BIOS.

    • It is possible for a virus to enter the BIOS and modify its firmware.  A BIOS virus is practically impossible to detect because an antivirus program has no ability to scan the BIOS firmware.

    • Most devices have firmware stored on an integrated circuit.  For example, USB drives have firmware, which can be infected by viruses.  Once the USB drive’s firmware is infected, it is impossible to detect or remove it.  An antivirus can’t scan the contents of a USB drive’s firmware.

Some other items that we should protect

  • Applets

    • There are generally two ways to create an application

      • If the main application runs on the server, this is called server-side execution

      • If the main application runs on the client (on the user’s computer), this is called client-side execution).  The code that runs on the end user’s machine is called an applet.

        An applet is beneficial because it reduces the load on our server.  In some cases, the applet allows a user to perform calculations without sending sensitive data back to the server.  For example, a tool that generates secure passwords might be designed to perform the calculation on the user’s computer.

    • An applet might be malicious.  A cautious user might not run an applet unless they trust the source.

    • A Java Applet is a common type of Applet.  It is written in the Java code.

      • We need to install the Java Virtual Machine on our computer to be able to run a Java Applet

      • The Applet runs inside the Java Virtual Machine.  In other words, the Java VM is a virtual operating system within our main operating system.

      • The benefit of Java is that developers can create one version of the Applet, which can run on any type of operating system – provided the user has installed the Java Virtual Machine.

      • Java VM is supposed to separate the Java code from the operating system, but Java has many vulnerabilities.

    • ActiveX is an applet type that is proprietary to Microsoft operating systems

      • Windows does not place no restrictions on ActiveX applets.  They have full access to the computer and its resources.

  • Local Cache

    • A computer stores data on its local cache so that it doesn’t have to keep looking it up.

    • Examples include ARP and DNS.  We don’t want to keep looking up DNS records, so we store them locally.

    • A hacker can set up a false data source.  If we cache incorrect data, then we might send traffic to the wrong destination, where it can be intercepted.

    • Windows contains a file called the hosts file.  The hosts file contains IP addresses and corresponding domain names.  When you try to access a domain name, the value in the hosts file will override any value returned from a DNS server.  By default, a hosts file is blank.  A hacker could modify the hosts file so that it forces our computer to access the wrong server when we try to visit a website.

    • We might use a split DNS in a corporate network – an internal DNS for internal use and external DNS for external hosts

    • An authoritative DNS server (or nameserver) holds the original records for the hostname in question.  Different DNS servers can be authoritative for different hostnames.  A recursive (non-authoritative) DNS server is one that requests DNS data from the authoritative DNS server.

      • For example, AWS Route 53 DNS Servers are authoritative for amazon.com because they hold amazon.com’s original DNS records

      • If a user queries the AWS DNS server, he will receive an authoritative answer about the location of the amazon.com servers

      • After querying the AWS DNS server, DNS servers at the user’s ISP and office cache the DNS data.  Now, DNS servers closer to the user know the IP address of amazon.com

      • The user (or other users) can go back to the servers at their ISP or office to perform DNS lookups, but the answer will be non-authoritative.

    • In DNS Poisoning, a hacker corrupts the DNS records.  The hack can take place at the top-level DNS servers, at the ISP level, at the office level, or at the computer level.  The corrupted DNS can force a user to visit a fake server.

      • For example, Bank of America is located at IP address 11.11.11.11

      • A hacker sets up a server at 9.9.9.9 and then corrupts the DNS server to point users to Bank of America’s website at 9.9.9.9.  The users’ computers visit the website at 9.9.9.9 thinking they are accessing a legitimate Bank of America server.

    • ARP Poisoning is when a hacker sends wrong data to corrupt the ARP table.

      • Let’s say our office has a printer with an IP address of 10.10.1.1 and a MAC address of AB:CD:EF:12:34:56

      • Bob wants to print some sensitive documents.  His computer knows that the printer’s IP address is 10.10.1.1 but doesn’t know its MAC address.  It sends out an ARP request to 10.10.1.1 – basically the message says “if your IP address is 10.10.1.1, reply with your MAC address”, and the printer responds with AB:CD:EF:12:34:56

      • Bob’s computer stores this data in its ARP table (the IP address and corresponding MAC address)

      • Bob’s computer sends documents to be printed to AB:CD:EF:12:34:56

      • A hacker comes along and plugs a laptop into an open ethernet port in Bob’s office.  The hacker’s laptop has an IP address of 10.10.1.2 and a MAC address of AA:BB:CC:11:22:33

      • The hacker sends out an ARP message saying that 10.10.1.1 belongs to AA:BB:CC:11:22:33, the hacker’s computer.  This is an unsolicited ARP message, but everybody’s computer records it anyways.

      • Now Bob’s computer sends all printed documents to the hacker’s computer instead of the printer

      • The hacker can forward Bob’s documents to the printer, so that they print correctly, and Bob doesn’t suspect that his documents have been stolen

    • How to prevent ARP Poisoning

      • With common sense.  Obviously, the hacker should never have been able to plug his laptop into an open ethernet port in Bob’s office. 

        • Somebody should have noticed that there was an intruder and called the police

        • An open ethernet port should never be patched into a switch

        • The hacker’s laptop should never have been permitted to access the network, even if the port was patched in

        • But you’ll be surprised at how easy this is to accomplish

      • Use ARP spoofing detection software.  The software can perform cross-checking of ARP entries against a DHCP server or switch, which has accurate information.

      • Critical system components should have static ARP entries that cannot be changed.  This could require a substantial amount of maintenance for hosts that are DHCP.

  • Server

    • A server is a computer that provides applications to other users.

    • A load balancer distributes traffic among multiple resources.  For example, consider that the Google.com website has only one URL (www.google.com), which would ordinarily point to one IP address.  That IP address would ordinarily point to one web server. 

      When a user attempts to visit Google.com, his computer contacts the DNS server to determine its IP address.  It then accesses the server through that IP address.

      With respect to Google, one single web server would be overloaded by the traffic; in fact, the Google.com website has millions of web servers.  The solution is to install a load balancer in front of those servers.  The load balancer can distribute the incoming traffic among all the web servers.

    • DNS load balancing is when a domain name’s DNS records point to multiple web servers. 

      For example, Google.com’s DNS records could point to both 11.11.11.11 and 12.12.12.12, each of which is assigned to a separate server.  Some computers access Google via the 11.11.11.11 server and others access Google via the 12.12.12.12 server.

      This would balance the traffic among two servers (which is not enough for Google).  Attempting to balance millions of servers on one DNS record would not work because the customer would not have enough public IP addresses to cover all the servers in use, and the DNS record would be massive.  We do not want to retrieve a DNS record that has thousands of entries.

      • A load balancer uses a scheduling algorithm to determine how to distribute income traffic among the servers connected to it.  Consider a scenario where there is one load balancer and three servers, Server A, Server B, and Server C.  There are several types of load balancing algorithms

        • First Come First Served – each request is handled in the order that it arrives; when the servers are busy then additional requests are put on hold.  The load balancer sends the first request to Server A, the second request to Server B, and the third request to Server C.  The load balancer does not send additional requests to the servers until a server indicates that it has spare capacity (i.e. that it has completed the current request).

        • Round-Robin – each request is handled in the order that it arrives.  The load balancer sends the first request to Server A, the second request to Server B, and the third request to Server C.  The fourth request is sent to Server A, the fifth request is sent to Server B, and so on.  The round-robin algorithm assumes that all the servers have the same capacity, and that all requests are of the same size.  If some requests take longer to process, they could overload the servers.  If one server is more powerful then the rest, it could remain idle for extended periods of time (since all servers receive the same number of requests).

        • Weighed Round-Robin – like round robin, but each server is given a specific weight based on its capacity.  For example, if server A is twice as powerful as Server B or Server C, it can be given a weight of two, while Servers B and C are each given a weight of one.  Server A would then receive twice as many requests as Server B and Server C.

      • A sticky session allows a load balancer to remember each client (based on their HTTP session).  When a client is recognized, the load balancer sends that client back to the same server that they were previously connected to, regardless of the server load.  This allows the server to maintain the client’s data locally (and not in a central database).  This is also known as affinity.

      • Load balancers typically work in pairs or groups.  This prevents the load balancer from becoming a single point of failure.

      • In a logical network topology, the load balancer is shown to be connected between the internet and the servers that it is balancing.  In the physical reality, the load balancer can be connected anywhere on the network.  If a load balancer has 1000 servers connected behind it, it wouldn’t have 1000 physical connections to those servers, but instead would route traffic to them over the local network.  Regardless of the load balancer’s location, it must have a good network connection, typically 1 Gbps or 10 Gbps.

      • The group of servers connected to the load balancer can be active-passive or active-active.  In an active-active configuration, the load balancer distributes the work among all the connected servers.  In an active-passive configuration, a group of servers remain active (receive work) and a group remain passive (do not receive work).  In the event of a failure of one of the active servers, a passive server is activated and begins to receive work.

      • An active-active configuration is better because it can quickly respond to surges in traffic and allows the system to fully utilize all its resources.  It is also more expensive because all of the servers must stay powered on.

    • We can also use a Virtual IP to balance the traffic.  In this case, we don’t need a load balancer.  Instead, all the servers work together to share the workload. 

      • For example, if we have three servers:

        • Server A has a private IP of 10.0.0.1

        • Server B has a private IP of 10.0.0.2

        • Server C has a private IP of 10.0.0.3

      • The public IP address is 11.11.11.11

      • Servers A, B, and C communicate with each other over their private IPs 10.0.0.1, 10.0.0.2, and 10.0.0.3.  The servers all set 11.11.11.11 as their public IP, and then elect one server to respond to requests.  For example, Server A, B, and C choose to have Server B respond to all requests on 11.11.11.11.  If Server B is overloaded, it may communicate this fact with Server A and C, which designate Server A to temporarily respond to requests on 11.11.11.11.

      • The servers continually ping each other to ensure that all the servers are functional.  This form of communication is known as a heartbeat.  If Server B were to stop responding within a specific period, Server A and Server C would choose to designate Server A to respond to new requests. 

      • The algorithm used to determine which server would respond will vary from scenario to scenario.

    • DoS is Denial of Service.  There are millions of web servers operating on the internet (which host websites and applications).  If a hacker wants to bring down a web server, the hacker would flood that server with massive amounts of traffic.  The web server would then be unable to respond to legitimate traffic, and ordinary users would be unable to visit the website or access the application.  This is known as denial of service.  Services other than websites exist on the internet (credit card processing, databases, etc.), and all are vulnerable to DoS.

      • There are many types of DoS attacks

        • SYN flooding.  When a user wants to connect to a web server, a three-way handshake (SYN, SYN/ACK, ACK) process occurs between the two computers. 

          • The user sends a SYN message to the server (saying, hey I want to connect); the server responds with a SYN/ACK message to the user (saying I see you), and the user responds with an ACK message to the server (saying I acknowledge you).

          • In SYN flooding, the hacker imitates a legitimate user and sends more SYN requests than the web server can handle.  The web server responds with the SYN/ACK response, but the hacker does not complete the third part by sending the SYN.

          • The server keeps a connection open waiting for an ACK message that never arrives.  The server can only keep a limited number of connections open.  If all of them are waiting for ACK messages that will never arrive, then the server won’t be able to establish connections with legitimate users.

        • Fragmenting.  When a computer wants to send data, it breaks it down into pieces known as packets.  The packets may take different routes to reach their destination.  The receiving computer puts the packets back together.  The data in each packet should not overlap.

          • In a fragmenting attack, the hacker sends legitimate-looking data to the server, but puts overlapping data into each packet

          • The server attempts to put the data back together but can’t because the data overlaps.  If the operating system isn’t equipped to recognize this attack and discard the bad packets, then it will crash.

      • How to prevent Denial of Service

        • Most DoS attacks are preventable now.  Why?

        • A hacker will not have enough bandwidth to bring down a large web service.  Major websites such as Google, Facebook, eBay, etc. use distributed server farms consisting of millions of servers, with redundant pathways to the internet.  A hacker will not have enough capacity to overload their systems.

        • Most enterprise systems contain firewalls that can easily detect and block DoS attacks.  If a substantial amount of illegitimate traffic appears to be originating from a single source, it can simply be turned off.

        • For a small monthly fee, services such as CloudFlare offer large-scale cloud-based firewalls to protect smaller websites from DoS attacks (which they normally could not afford).

        • A company should never be a victim to the same attack twice.  After the first attack, they must investigate and rewrite their systems so that it never happens again.  The most common types of attacks are well documented, and systems are available to prevent them.

  • Database Security

    • There are several types of databases

      • Hierarchical and Distributed Database – when we have a tree of data.  We might call this a one-to-many database model.  A database that is hierarchical is specifically designed to store specific types of data.  We use nodes and edges.  The nodes represent objects and edges represent relationships.

      • NoSQL – NoSQL is a database model that doesn’t use relational models. These databases store documents that do not normally fir in a key/value.  We might store XML, HTML, or JSON data.

      • Relational Database – this is a flat database with rows and columns.  Data is mapped one to one, but the database tables have a primary key.  Data from one table can be linked to data from another table.  We call each column in a table a field.  Each row is called a record.  We can access any data instantly by calling up the key.

        • Candidate Key – a candidate key is a set of attributes that can uniquely identify a record in a table.  No records will have the same values for all of the attributes in a candidate key.

        • Primary Key – a field that uniquely identifies the records in a table.  Each table has only one primary key.

        • Foreign Key – a foreign key enforces relationships between two tables.  The foreign key corresponds to a primary key in another table.

    • Database Transaction

      • A database transaction is a request that updates the database in some way.  The entire transaction will succeed or fail.  It will not be executed in part.  This is important because the database could become corrupted otherwise.

      • At the end of the transaction, the database will automatically commit (save the changes). 

      • We can set the database so that it requires us to manually commit the changes.

      • We can rollback the database to the state that it was before the transaction.

      • A database transaction has four features

        • Atomicity – the transaction must either work completely or not work at all.  It cannot be executed partially.

        • Consistency – the transactions must all operate in a way that is consistent with the rules of the database.  The database must stay consistent after the transaction is completed.

        • Isolation – all transitions operate separate of each other. If two transactions are applied to the same data, one transaction must be completed before the second one is allowed to proceed.

        • Durability – the results of the transactions must be preserved

    • Multi Level Database Security

      • Database Contamination is when somebody has access to data in the database that they are not entitled to.  We need to limit each person’s access to only the data that they require.

    • Concurrency

      • Concurrency is also known as edit control

      • What happens when we have a large database and multiple copies of it?  We want to make sure that all copies have the same data at the same time.

      • A dirty read is when a transaction is completed only halfway and not rolled back.  If we read the data in the middle of a transaction, then that data is considered dirty.  To prevent this, we should “lock” the records that are being modified by the transaction.  Once the transaction succeeds, we would unlock it.

    • We should also consider the following

      • The data inserted into the database is in the correct format

      • The constraints on the database are being followed

      • There are time stamps on transactions

      • There is granular control on the objects in the database.  We can hide individual cells with cell suppression.

      • Context-dependent access controls means that we should think about the circumstances where data needs to be accessed before making a decision.

      • We might partition the database into multiple parts and assign each one a security level

      • Polyinstantiation is when there are two rows in the same database that have the same primary key but different data at different security levels.  For example, we have a database that shows the location of a military base.  At a low security level, the database record would show the city or state, and at a high security level, it might show the exact GPS coordinates.

      • We might also install false data into the database, but in areas that only we know about.  That prevents people from stealing our data because they don’t know which records are correct and which are incorrect.

    • How can we keep our database secure from attacks?

    • Aggregation – we should be able to limit the level of access to the database.  One way is to prevent users from conducting queries that return entire tables (when they only need access to a few records).  A user should not be able to determine the number of records in a table.

    • Inference Attack – a user might be able to combine multiple non-sensitive pieces of information into something that is sensitive.  We can protect our data with “blurring” or “data partitions”.  That means we could round some values or change some values so that they are less meaningful.  For example, if we have a database table with the names of people and their corresponding dates of birth, we could blur the table so that it only shows their age in years or their year of birth.

    • We should

      • Install only the necessary components of the database

      • Run the database services on an unprivileged account on a separate server

      • Use separate accounts for each database

      • Not use environment variables for authentication

      • Use a separate certificate for each database

      • Use TLS for all traffic

      • Change default passwords

      • Use MFA or certificates where possible

      • Assign the least privilege necessary for each account

    • Database Terms

      • Data Warehouse – a warehouse is a separate database where we can store large amounts of data.  Large databases are inefficient (they consume more system resources).  If we have data that is accessed infrequently, we could store it in a Data Warehouse.

      • Data Mining allows us to create models from data that we have stored.

      • Metadata is generated from Data Mining techniques.  Metadata describes the data.  It is data about the data.  For example, if a photograph is data, then the metadata might be the name of the photographer or the time that the photograph was taken.  We store metadata in a data mart.

      • We use Data Analytics to analyse a large set of data.  We might be looking for values that don’t make sense, average data, the range of the data, or other trends that allow us to describe the data.

    • Injection takes the form of SQL injection, XML injection, or LDAP injection.

      • Most websites are “database driven”.  That is, the front end of the website (the code, the photos, and the videos) are static/dynamic web pages and files, but data (usernames, passwords, comments, video views, etc.) are stored in databases.  The most common database format is SQL (available in MS SQL and MySQL).

      • Consider a standard form on a website (such as a registration form).  When a user fills out the form and presses the submit button, the data from the form goes to a script (some computer code).  The script processes the data and enters it into a database.

      • Consider a user named Bob Jones, who registers on our website by filling out a form with three fields: First Name, Last Name, and Username.  We previously created a database table to hold all our user data.  We called this table “username_table”. 

      • Bob filled out the following information
        • First Name: Bob
        • Last Name: Jones
        • Username: bjones

      • Bob’s data goes to a script, which generates an SQL statement as follows (this would insert the data ‘Bob’, ‘Jones’, ‘bjones’ as a new line in the table).  The semi-colon indicates the end of the line.

INSERT INTO username_table VALUES (‘Bob’, ‘Jones’, ‘bjones’);

  • If Bob was sneaky, he could enter ‘bjones’); DROP TABLE username_table;’  as his username.  Drop Table is a command that tells the SQL database to delete the table.

    • Bob wouldn’t know exactly the name of the table or the format of the script (because he wouldn’t know what kind of database we are using), but he could make a few guesses (or he could discover the name of the table through an error message on the site).  On a side note, a database (or database server) should never talk directly to a user or be exposed to the internet – it should only communicate with a web server.

    • This results in the following SQL statement

INSERT INTO username_table VALUES (‘Bob’, ‘Jones’, ‘‘bjones’); DROP TABLE username_table;

  • The first half of the statement inserts the data as normal.  But the second half (DROP TABLE username_table;) deletes the entire username table!  SQL injection attacks are easily preventable with the right code.

    • We can prevent injections

      • Use prepared statements when working with SQL

      • Sanitize the data (do not allow users to enter special characters unless necessary).  This should be enforced both on the client side and on the server side (malicious users can defeat client-side error handling).  Do not accept invalid data.

      • Why bother with client-side error handling if the server can prevent everything?  Client-side error handling enhances the user experience, for legitimate users.  Client-side error handling also reduces the load on the server.

      • Turn off verbose mode/error outputs in your code.  If there is a bug in the code, or if the application encounters an error, many web languages (such as PHP or ASP) will print the error directly in the web browser.  These errors can contain exact file directories and SQL database information, which would be exposed to all website visitors.
  • Parallel Data System

    A Parallel Data System is one that allows us to run many calculations at the same time

    Some problems are efficient when we break them down into many smaller problems and work on them at the same time.  If we have many computers, then each computer can work on one problem.

    Each problem must be efficient or else the system won’t be efficient

    There are two modes for Parallel Data Systems – AMP and SMP

    Asymmetric Multiprocessing (AMP) – the processors operate independently of one another.  They might be on separate computers.

    Symmetric Multiprocessing (SMP) – the processors do not operate independently. They share the same RAM and Operating Systems.

    When we link many AMPs together, we might call it Massively Parallel Processing.

  • An End Point is an end user device such as a phone or computer

    • There are many endpoints that can contain sensitive data or become entry points

    • Some ways to protect the end points

      • Screen all e-mails and other incoming/outgoing data at the end point or prior to it reaching the end point

      • Implement access controls including MFA and biometrics

      • Restrict access to sensitive data that is not required by the end user

      • Install hardware encryption

      • Separate processes that run in user mode from processes that run in admin mode

      • Create protection domains

      • Provide security awareness training to all users

      • Back up all data regularly

      • Consider protecting end points from environmental hazards such as floods or power surges

      • Think about disaster recovery techniques

    • An end point should have “defense in depth” protection

      • That means we have many layers of defense

      • Even if a hacker penetrates one layer, another layer will stop him

      • Defense in Depth is better than having a Fortress Mentality – a single strong layer of defense that is expected to protect against everything

Cloud Computing

We should understand some Cloud Computing concepts.

A hypervisor is a software application that acts like a virtual machine.  A hypervisor allows a user to run multiple virtual servers on a single physical server.  The hypervisor allocates hardware resources to each virtual server.  There are two types of hypervisors

  • Type I – runs directly on the system hardware.  This is known as a bare metal hypervisor.  Examples include Microsoft Hyper-V and VMware vSphere.

  • Type II – runs on top of a host operating system.  Examples include Oracle VirtualBox.

  • Application Cells/Containers – an application cell allows multiple virtual server containers to share a single operating system.  Each cell only maintains separately the files that it needs to perform its function.  By containerizing the operating system, overhead is reduced, and applications can be ported to different servers.  In other words, a container is like a virtual machine with a preinstalled operating system.

A Virtual Machine is a server that runs inside the hypervisor.  It is not a physical server.  The hypervisor tricks the operating system in the virtual machine to think that it is running on its own independent server, when in reality, the hypervisor is sharing server resources among multiple virtual machines.

Cloud Storage is increasingly used by organizations.  In cloud storage, an organization pays for data storage that it uses each month, and the amount of data transfer that takes place.

Popular cloud storage applications include

  • Amazon S3
  • Microsoft Azure

A cloud storage provider may use the same physical hardware to house data belonging to multiple customers.  If the system is not secure, a malicious customer may gain access to the data of another customer.  An organization must encrypt all of its data prior to transferring it to the cloud.

Elasticity is a concept in cloud computing where a system can expand to meet the needs of its users.  The system should be able to expand in real time to avoid disruptions or bottlenecks.  An organization does not want to pay for more resources than it can consume, but also it needs to be able to access all the resources that it needs.

Cloud computing services allow users to create scripts that monitor demand in real time, and provision/deprovision additional resources when required.  Scripts can also provision/deprovision additional resources at specific times of day or days of the week (when demand is predicted to be high or low).

Elasticity is the idea of being able to “scale out” – for example, adding more servers identical to the ones that are in use.

There are several Cloud Deployment Models in use today

IaaSInfrastructure as a Service  

A company will rent their physical infrastructure and pay per month or per hour.

The customer will not deal with up front costs or hardware maintenance.

The customer will see system components and will be responsible for configuring them.   Examples include Amazon Web Services  
SaaSSoftware as a Service

Software is licensed on a per hour or per month basis.

The software is centrally hosted.  The customer will not have to install software, manage licenses, or manage servers.   Examples include Microsoft Office 365 and Salesforce

PaaSPlatform as a Service  

Hybrid of IaaS and SaaS   Platform is licensed per hour or per month. Customer will not deal with hardware directly but is free to run any applications they want.   Advantage is ability to run applications without having to build the underlying infrastructure.   Example is AWS Hadoop  
Public CloudA public cloud is available to the public.

The hardware resources inside a public cloud are shared amongst all customers, which improves efficiency and reduces cost.

Multiple customers may be provided access to the same physical server without realizing it (cloud software should prevent data leaks)


Private CloudA private cloud is built by one organization for its internal use.

A large organization can use a private cloud to share resources amongst different departments.


Hybrid CloudA mix of a private cloud and a public cloud.   A company may decide that some applications are too sensitive to host with a public cloud, or that some applications will not run properly when they are off site but would like to take advantage of the public cloud.   Applications that can run on the public cloud are placed there, and remaining applications are placed on a private cloud.   The private cloud and public cloud are connected via a WAN or VPN.

Community CloudLike a private cloud except that infrastructure is shared by several organizations.   Several organizations that trust each other pool their computing resources.  For example, several different municipal government agencies (fire department, police department, infrastructure, etc.) pool their servers together.

An On-Premise Cloud is where the devices are in the organization’s physical buildings. 

A Hosted system is where the organization rents the devices from a third-party.  Another option is for the organization to purchase or lease the physical hardware but install them in a data center owned by a third-party ta center (known as co-location facility).  The organization takes advantage of enhanced monitoring, internet connections, and power.

Before we put any data in the cloud, we must think about the following

  • Does the cloud comply with Sarbanes-Oxley, HIPPA, and PCI (if applicable to our business)?

  • Does the cloud encrypt our data?  Is there a way for us to encrypt our data before sending it to the cloud?  Where are encryption keys stored?

  • How can we recover data from the cloud?

  • Can we make snapshots (a copy of our cloud-based system at a specific point in time) and restore from that snapshot?  In other words, if something goes wrong, can we restore our cloud-based system to a time when everything was right?

  • Security as a Service (SECaaS) is a service where an online provider manages our security on a monthly basis for a fee.

If your office is in Atlanta, but your data center is in New York, then data passing from your computer to the server must travel a long distance.  The time it takes to get between the two locations is called latency.  It can be detrimental to the user experience, and it can cause issues with some applications.

It is more efficient to build a server that is really good at one task than a server that is okay at many.  Generally, servers are built with one of two configurations: servers that can do a lot of thinking, and servers that can store a lot of data.  The latter might be called storage appliances

When we design our infrastructure, and when we are thinking about where we want to put our storage and servers, we need to think about how our data will flow through the system.

Consider a large retail store like Home Depot.  Every night after the store closes, each store uploads its sales data to the cloud.  The servers process all the data and generate reports, which management looks at the next morning.  It makes sense to have all the processing power in the central location and not in the store.

Now consider an engineering firm.  The engineering firm creates drawings for a building, and then renders them in three-dimensions.  They must upload each drawing to the central server, have the central server render it, and then download the completed file.  It might make more sense to keep the processing power in the office.

A more extreme example.  Say you have a smart thermostat.  The thermostat measures the room temperature and sends it to a cloud server.  The cloud server decides whether to raise or lower the temperature and sends a signal back to the thermostat.  The thermostat uses the information to raise or lower the temperature.  It makes more sense to have the decision-making technology inside the local thermostat.  Connecting the thermostat to the cloud is still necessary so that the user can monitor and control it remotely.

This brings us to a new concept called Edge Computing.  It applies more to Internet of Things devices than to standard computers.  The idea is that since these devices are gathering a substantial amount of raw data, instead of uploading it to the cloud, each local device can process it locally and only upload the results.

Edge computing reduces the latency between the input and the output.  It also reduces the load on the main internet connection.

When the data is processed on a LAN device that is not the actual sensor (for example, we might install a gateway in our LAN that connects to each of our smart thermostats), we might call this fog Computing, also known as Fogging or Fog Networking,

The military is taking fog computing one step further and developing a Disruption Tolerant Mesh Network.  The idea is that each device can talk directly to devices nearby without having to go through a central server.  Since there is no central location, even if part of the network is damaged, the rest of it can continue operating.

For more information on Fog Computing, consult NIST Special Publication 500-325.

Containers

I mentioned DaaS or Desktop as a Service, where you can store your entire desktop in the cloud and connect to it remotely.  We are going to take this idea one step further.  Let’s say that instead of us giving each user access to an entire remote desktop, we give them access to just one remote application.

We can virtualize just the application.  We can make it so that a user can open Microsoft Word from their start menu for example, and Microsoft Word opens like normal, but in reality, that application is running on a cloud server.  And we can do that for every application that the user has.  So, each application is running on a remote server, but it appears to be running on the local machine. 

What’s the point?  Why bother?  Why not install the applications on each user machine?  Well, if the applications are central, it is easy to update them.  We don’t need to give users powerful computers.  And we can store the data somewhere safe.

To accomplish this, we create a container for each application.  A container is a user space that contains the application, external libraries, and other configuration files – basically, everything that the application needs to run.

Multiple containers can run on the same machine and operating system.  So, we don’t need to create a separate virtual machine for each user.

The most popular containerization application is called Docker.  Docker can take an application and package it into a container that can run on Windows, Linux, macOS with very little overhead.  Docker was free until August 2021.

Microservices/API

We can take the containerization one step further.  Let’s say that our application is large, with many functions, and each user only needs a few of them.  We can containerize each function separately.  This is known as microservices.  For example, if we have an accounting program, it could have the following functions: accounts payable, invoicing, accounts receivable, payroll, report generation, and inventory.  We don’t need to containerize the whole application if each user need access only to a few functions.

To successfully implement microservices, we need support from the software development team.  Microservices are helpful because each function in the application can be updated separately and can scale separately.  If one function becomes more popular, we can scale its hardware efficiently.  We don’t have to worry about scaling the entire application.  And we can write each function in a different language.

We might talk to a microservices application through an API.

Serverless Architecture

So, this whole containerization idea brings us back to the cloud delivery model.  If we look at AWS for example, we can see an offering called Lambda.  What you can do with Lambda is take your code or your container and upload it to the “cloud”.  The code just runs, and you are billed for the resources that it uses.  You don’t have to worry about setting up servers or storage.  The “cloud” scales your infrastructure up and down as required.  We can call this serverless architecture

Now don’t get it wrong – there are still servers.  The physical hardware will never go away.  It’s just that we don’t have to think about it anymore.  We write the code and the software layer figures out how to deliver it.

We can integrate Lambda with many other services.  An action taken by a user can trigger a piece of code on Lambda to execute automatically.

When there are many services, having to log in to multiple control panels to manage each of them is bad.  We can integrate most cloud services with a tool called a Service Integration and Management or SIAM.  You will see many application providers boast about controlling the application through a “single pane of glass”.  This is what they mean.  You can log in to one place and see everything.

SCADA stands for Supervisory Control and Data Acquisition while ICS stands for Industrial Control System.  These systems are found at power plants, factories, utilities, and other critical forms of infrastructure.

An ICS is designed to operate reliably 24 hours per day, 7 days per week for many years, without interruption.  Multiple ICSs can be combined to operate redundantly.  An ICS may consist of many PLCs – Programmable Logic Controllers.  A PLC is a special type of industrial computer that collects input from sensors, uses an algorithm to make decisions, and send an output to different control units. 

For example, a PLC could be connected to a water pump that is filling a tank with water, and a sensor that is monitoring the tank’s water level.  The PLC continuously monitors the tank’s water level.  When the tank is empty, the PLC directs the pump to pump water, and when the tank is full, the PLC directs the tank to turn off.

Multiple ICSs can be connected to a SCADA system.  The SCADA system collects data regarding a process.  For example, the SCADA system can collect data from an oil refinery to determine the quantity of crude oil being turned into gasoline and can collect data from thousands of steps along that process.  This data is typically sent to a control room where operators can analyse the data and detect discrepancies.

The different components of the SCADA system can be housed close together or may be far apart.  SCADA system components may communicate over a standard IP network via copper or fiber links.

Ideally, a SCADA system should be air gapped and isolated from any commercial network.  This is not always possible because a SCADA system may control facilities that are physically separated by hundreds of kilometers.  For example

  • SCADA system that controls the traffic lights in a major metropolitan city

  • SCADA system that controls the power grid in the North Western United States

  • SCADA system that monitors multiple oil refineries in a state

The SCADA system’s communications should be

  • Securely encrypted

  • Air gapped and isolated from any commercial network, where possible

  • On a dedicated WAN connection where air gapping is not possible due to distances

Yet there are many SCADA systems in use today that are accessible remotely (due to the negligence of the installer or manufacturer), some without a password.  It is possible to locate these systems simply by running a port scan. 

SCADA should be physically isolated from the commercial network.  For example, a nuclear plant should not allow any part of the SCADA network to interact with the plant’s commercial network. 

SCADA systems should not communicate wirelessly unless necessary, and where extreme precautions have been taken to ensure that all data is encrypted. 

Many components inside the SCADA system may communicate without encryption.  An air-gapped SCADA network can be easily disrupted if a malicious user has physical access to any SCADA network equipment or wiring.  A malicious individual could splice the wiring between two SCADA system components and

  • Disrupt the communication.  For example, a conveyor belt is being used to load a truck with fertilizer.  A hacker could cut the wire between the PLC and the conveyor belt motor, in which case no trucks could be filled.  This behavior would disrupt operations.

  • Spy on the communication.  For example, a hacker could spy on the content of the communication to determine the quantity of oil being refined; the hacker could use this data to predict oil prices on the open market and place trades.

  • Substitute inaccurate data inside the communication.  For example, SCADA systems are used to control traffic lights in many major cities.  These systems connect over unencrypted wireless systems or analog telephone lines.  A hacker could disrupt the traffic patterns and bring intersections to a halt.

According to NIST Guidelines for SCADA Systems (NIST Special Publication 800-82), good SCADA security should

  • Restrict logical access to an ICS network (using firewalls, multiple network layers, a DMZ, and unidirectional gateways)

  • Restrict physical access to an ICS network

  • Protect ICS from exploitation (install and test patches when available, disable unused ports and services, restrict user privileges to only those that need it, monitor and audit use of the system, check for file integrity)

  • Restrict modification of data

  • Detect security incidents (detect security events before they become incidents, detect failed ICS components and overloaded resources)

  • Maintain functionality during adverse conditions (ensure that there is no single point of failure, that critical components have redundant counterparts, that the failure of a specific component does not create additional traffic or cascading effects, that if the system is to operate in a degraded state it does so gracefully)

  • Restore the system after an incident (organization should have an incident response plan which includes key roles for all individuals involved, a well documented system, back up of all configuration, readily available replacement parts, and support from manufacturers and vendors)

An example of a virus that affects SCADA systems is Stuxnet.  The Stuxnet virus

  • Infected computers and hid its presence through a root kit

  • Infected the firmware on USB drives inserted on those computers (the firmware on a USB drive does not contain any user storage and is typically inaccessible by any form of operating system or antivirus program)

  • Searched for and infected any computer running the Siemens Step7 software application (which is used to write scripts that control PLCs)

  • Once locating a PLC, modified the code on the PLC so that it would cause damage, but returned normal values to the computer (so that the operator was unaware as to the harm that was being caused)

Other types of computing systems

  • Grid Computing – Grid Computing provides central management and many local computers.  The local computers process data and take commands from the central system.  If the central computer crashes it can cause all of the local computers to crash.  It is not good for time sensitive data applications.

  • Peer to Peer Computing (P2P) – P2P allows many computers to work together with no central management.  Many file distribution systems use P2P because it removes the need for a central data repository.

  • Internet of Things (IoT) – IoT devices are consumer devices that can connect to the internet.  They include home appliances, security cameras, and watches.

How can we protect embedded systems?  An embedded system is a computer that is installed inside another device, such as a television, a kitchen appliance, or a vehicle.  As embedded systems become more advanced, they are able to connect to the internet, and therefore become vulnerable to hackers.

A cyber-physical system is a computer application that can control a physical device.  For example, a computer that manages an electrical generator is a cyber-physical system.

How can we protect our embedded systems?

  • Network Segmentation – we can divide our network physically or via VLANs so that embedded devices can’t be accessed from outside the network

  • Security Layers – we can create security layers so that intruders cannot access the devices.  We may even air gap the devices (ensure that there is no physical connection between the device and the internet)

  • Firewalls – we may install firewalls at the edge of the network to prevent access to the devices

  • Manual Updates – we may apply updates to the device manually, and not allow it to automatically download or install updates

  • Firmware Control – we may control the version of firmware running on each device

  • Control Redundancy – we should use a combination of controls to protect our device in case one of them fails

Some specific technical controls

  • Layering – we surround our object with multiple layers of controls.  An outer layer does not know about the inner layers.  If one layer fails, the others will continue to protect the object.  The layers communicate with each other through specific protocols.

  • Abstraction – we don’t allow the end user to understand how the object works.  The object will only respond to specific requests.

  • Data Hiding – we give each data item a security classification.  Data can only be viewed at an appropriate security level.

  • Process Isolation – the operating system will provide a separate memory space for each application process.  A process cannot access data that belongs to another process.

Hardware Segmentation – we use physical hardware to prevent data from different security levels from mixing