Common Software Vulnerabilities and Countermeasures
The course is part of this learning path
This course covers section one of CSSLP Domain Four: Common Software Vulnerabilities and Countermeasures. You'll learn the elements, ideas, concepts, and principles about what issues must be considered before embarking on a building program of secure software.
- Understand programming fundamentals
- Become familiar with different development methodologies
- Learn about common software attacks and the means of exploitation
This course is intended for anyone looking to develop secure software as well as those studying for the CSSLP certification.
Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.
Some other concerns that we have to bear in mind, we have embedded systems which are typically purpose-built often single board computers or components that are installed within a larger context. These can use quite unique languages and factors but as a consequence of this and they're being so unique, they receive little or no attention regarding security as often happens with systems specifically designed for specific uses in specific industries, such as we encounter in IOT, industrial control systems, automated robots, and SCADA.
These are constructs of devices and components operating in various ways on types of public and industrial systems, such as plants, traffic control, air traffic control, and public transit. And they often are found operating critical infrastructure but they suffer from a lack of attention and end up becoming obsolete, but they suffer from the attitude of, if it ain't broke, don't fix it. Sadly, this has produced some very adverse consequences in many different locations.
Now we do have one form of attack that doesn't bother to attack in a straight frontal assault sort of manner. It is a non-direct attack form that attacks the implementation or other elements that are associated with a particular system without the head on attack on the operating system directly. These can be very, very effective as we've seen in many cases. These use the direct approach attacking cryptographic components or timing components such as in the TOCTOU or race condition, and Tempest, which is a set of countermeasures against electromagnetic interference and electromagnetic based attacks.
We have, of course, the final set of concerns which is by no means trivial and often a part of any other attack scenario you care to think about. And this of course, are the human assisted, social engineering. Now these are in fact, a category of effectively side channel attacks because by attacking the human, I should say, by directing these at human targets, they're able to prompt an assistive response on the part of that human target that will assist in arriving at the desired outcome.
Now, these are often employed as an early step in the actual planned attack sequence. They often employ various forms of deceptive techniques to produce this desired reaction that will then lead to a further step down the pathway of the intended planned attack sequence. Now in general, these are called phishing, of course, and that's phishing with a ph. Now, literally what happens is, a logical hook is baited with a seemingly genuine offer of some desirable bait. And it does make use of the fact that people seek various things and it employs various techniques of masquerading and the simple psychology to exploit human behavior.
Typically they use a promise of something for nothing. Sometimes it involves delivering a veiled threat and applying pressure to act without thinking. Making something sound urgent and I need you to do this right now or five minutes ago. And so they act without thinking and provide the attacker what they're seeking. Humans are tempted by things that are secret, hidden, or exclusive, and hackers make use of the psychology employed in that. And then there is the kind that feigns familiarity to gain trust for further exploitation, which is the classic way that phishing more or less came into existence.
Now, except for the fact that we can train people to be watchful, mindful, and not to simply react to things that may seem genuine but don't seem to have a genuine source. There is very little we can do to system design to combat this particular threat because it is human based at least in its starting phases. The best defense is going to be part of the larger defense-in-depth program involving training. And there are phishing campaigns that are often conducted as periodic testing of users to see who can be caught on this particular hook.
Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years. He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant. His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International. A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center. From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.
Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004. During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide. He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004. Mr. leo is an ISC2 Certified Instructor.