# Cyber Security Base

by [University of Helsinki](https://www.helsinki.fi/en) and [mooc.fi](https://mooc.fi/) in collaboration with [F-Secure](https://www.f-secure.com/)

### Chapters:
1. Introduction to Cyber Security
2. Securing Software
3. Course Project I
4. Advanced Topics
5. Course Project II
6. Capture the Flag

## 1. Introduction to Cybersecurity

### Basic definitions

- **Asset:** Is what is being protected, it has value to its owner. It can be tangible (Server) or intangible (Data)
- **Threat:** Is the intention to cause damage. For cyber security this can be defined as a hostile act aimed by an attacker at an asset. Regardless of the attacker's intent to do no harm, a threat is still a threat. The attacker posing a threat is commonly called a threat actor.
- **Vulnerability:** Is a defect in a target system. This defect may be a bug in application code, or a flaw in the design of the system. A vulnerabilities can also be a consequence of improper configuration or user action.
- **Exploit:** Is a way to take advantage of a known vulnerability. The usual objective is to take control over the asset. (Social engineering, commonly considered a simple scam, is one kind of exploit.)

**Rising complexity of software products:** *Different parts of the systems may be developed by different vendors, but need to interoperate. Moreover, most current systems are based on software frameworks which enlarge the code footprint of even small applications, and/or are extensible with/via plugins and addons.*

**Vulnerability Databases:**
- [National Vulnerability Database](https://web.nvd.nist.gov/view/vuln/statistics)
- [Commen Vulnerabilities and Exposure](https://cve.mitre.org/index.html)

#### Essay 1: What are the costs of dealing with cyber security attacks. What are the direct and indirect costs when dealing with cyber security attacks?

[The Oxford document](https://www.oxfordeconomics.com/my-oxford/projects/276032) distinguishes between two kinds of costs that are relevant when a cyber security attack takes place:
1. Direct Costs associated with the attack:
- Clean-up or Remediation costs associated with an attack.
- Lost productivity due to the disruption of the normal operation of the business
- Damage to the IT equipment (physically; either theft or destruction)
- Damage through the loss of Intellectual Property.
- Loss of competitive position due to the release of internal documents (i.e. take-over plans)
2. Indirect Costs associated with an attack:
Here the report talks about the costs incurred due to the loss of the brand's value. If a company publishes that it was the target of an attack, different stakeholders (such as customers) lose faith in the company and the valuation of the company can suffer. The report measured this costs as the loss of the stock-price after publication of a security incident.

Additionally on pages 54ff. the Oxford report also looks at the macro environment of costs that are relevant when talking about cybersecurity:
1. Costs associated with the anticipation of the crime.
Meaning the purchasing of IT equipment, knowledge etc. to prevent a security incident in the first place.
2. Costs associated as the consequence of a cyber attack
The above mentioned direct and indirect costs are relevant here.
3. Costs deriving from the response to a cyber crime
Here the report talks about the justice system and it's actors to pursue an attacker. This costs is incurred by the tax payer.

[Cyber Security: It's all about the coders](https://www.youtube.com/watch?v=fi44mL7mcq0)
- **CIA**: **C**onfidentiality - **I**ntegrity - **A**vailability
- What should my software do -> What shouldn't my software do? Software Security Mindset for coders

[Cyber Self-Defense](https://www.youtube.com/watch?v=knLDY7hRm5I)
- 50% of attacks are successful. But those successful ones happen within the first hour.
- Estimated cost of data breach is 3.79 million USD (2015)
- Hacktivists, Criminals, APT
- People are the new perimeter. Not just better tools, but a layered defense model.
- Relevant for personal reasons, as well as professional
- Social Engineering is the MO of a Cyber criminal (Phishing, Credential Harvesting,...)
- Rules for Cyber Self-Defense:
  - Don't Click (2x)
  - Use strong passwords (length is superior to complexity)
  - Don't reuse passwords
  - Don't use passwords (2FA)
  - Patch your software
- Trust, but verify

[Everyday cybercrime](https://www.ted.com/talks/james_lyne_everyday_cybercrime_and_what_you_can_do_about_it?language=en)
- Malicious Software is commercial (for example: BlackHole exploit kit)

#### Essay 2: Why is cyber security such a big deal today and whose job it actually is to protect you?

The importance of cyber security is easily demonstrated by the first talk when the presenter talks about the impact of cyber security incidents: A new credit card number is quickly generated and changed (even though the estimated cost of a data breach is 3.79 million USD), but if for example medical information is leaked, the damage is nearly irrevocable. This illustrates the importance of cyber security for all of us.


The summary of the three different talks would be that cybersecurity is also the job of everyone of us:

Each of the talks takes another perspective who should be responsible, but all three of them also agree that it is on all of us to improve our cyber security and to think before we click on something.

Dan Cornell's talk focuses on the education of software engineers to write better, more secure code to ensure that the applications we use every day and take for granted (like amazon) are secure and do not leak our personal information.

Paul Carugati's Talk focuses on rules for personal cyber security defense. Additionally it makes the point that "people are the new perimeter" - meaning that social engineering tactics become more widespread.

The last point shows that even if you have good cyber security defense, if your relatives or friends do not you are still at danger.


*In short, cyber security is everyone's business. Designers and implementers build systems that have no holes (well, as few as possible), operations staff build and maintain secure networks, administrators keep systems properly updated and configured, users should prefer secure software, and executives should make early investments in security.*

### Two Methods of Modelling Threats

#### STRIDE - Threat Model
**Spoofing** - When someone uses another user's credential for access

**Tampering** - Changing persistent data. Either in the machine or in the transport.

**Repudiation** - Specifies that a system should be able to log a users actions for evidence in case a breach happens.

**Information Disclosure** - Unauthorized disclosure of information.

**Denial of Service** - (Temporarility) affecting the availability of a system.

**Elevation of Privilige** - A users gains additional rights to compromise a system.

#### DREAD - Risk Assessment Model
- Damage
- Reproducibility
- Exploitability
- Affected Users
- Discoverability

=> Is used to judge the severity of breaches. Every category is judged on a scale of 0 to 10.

## 2. Securing Software

## Ports and Applications

If a computer has a software process (a program) running on it and the program hast control of a port and listens to the data send to it, it can be communicated with. This communication follows a set of rules of the **protocol**.

A program from the same computer, or a program from a different computer (on the network) can send data to this port.

**IPv4:** 4 x 8 bit address space. Results in 2^32 possibilities.
**IPv6:** 2^128 possibilities.

From a programmers point of view the communication between two computers is done via a "Socket" - which is essentially a handle (similiar to a file handle) that can be used for reading and writing.


Example of a Socket in Java

```
String address = "127.0.0.1";
int port = 12312;

Socket socket = new Socket(address, port);
Scanner reader = new Scanner(socket.getInputStream());
```

### Web Servers and Web Applications

Web-Servers are programs that listen for incoming connections - normally following the HTTP protocol on port 80.
Web Servers typically forward the request to the Web Application. Web Developers normally do not implement their own Web Server.

Web Applications typically include client-side (Browser) and server-side (web server) functionality.

![Web Server](/img/webserver.png)


 

#### Sprint-Boot

* @Controller defines the Controller that is defined.
* @RequestMapping("*") - Defines from which path the Application Answers
* @ResponseBody - Defines the answer that is send:
```
public String hello(){
    return "Hello Web!";
}
```

### Request & Response

*Each request may contain information that is being sent to the web application. In principle, there are two ways to handle this: (1) by adding parameters to the address, or by (2) adding parameters to the request body.*

These paramters can be accesed via @RequestParam:

```
public String greet(@RequestParam String user) {
    return "Hi " + user + ', how are you?";
}
```

### Views to the User

*HTML content is typically created using templates that include embedded commands that are used for determining the content that should be added to those templates. Here, we use a template engine called Thymeleaf.*

**This will take the template "video.html" from the ressources/templates/ folder and responds.**

```
@RequestMapping("/video")
public String video(){
    return "video";
}
```



### Adding data to the view

This is done via the Model Object:

```
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.RequestMapping;

@Controller
public class TemplatesAndDataController {

    @RequestMapping("/")
    public String home(Model model) {
        model.addAttribute("text", "Hello World!");
        return "index";
    }
}
```

In this case the value from the Model would be added to the th:text="${text}" in the template.

### Adding content from forms

```
<form th:action="@{/}" method="POST">
    <input type="text" name="content"/>
    <input type="submit"/>
</form>
```

### Handling of Lists in Thymeleaf Templates

```
<ul>
    <li th:each="item : ${list}">
        <span th:text="${item}">hello world!</span>
    </li>
</ul>
```

### Javascript

*When adding Javascript code to a Spring Boot project, it is typically added to the folder src/main/resources/public/javascript/. All the files in the folder src/main/resources/public are made publicly available and downloadable through the server. Given that a Javascript file — say code.js is in the folder javascript, the script-element is used as follows: `<script
th:src="@{/javascript/code.js}"></script>`.*

With for example: `document.querySelector("#someId").value` the value of some ID can be accessed.



#### Request Data from a Server

```
var xmlHttp = new XMLHttpRequest();
xmlHttp.onreadystatechange = function() {
    if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
        var response = JSON.parse(xmlHttp.responseText);
        document.querySelector("#content").innerHTML = response.value.joke;
    }
}
xmlHttp.open("GET", "http://api.icndb.com/jokes/random/", true);
xmlHttp.send(null);
```


### Returning JSON Data from a Web Application

If a method annotated with the @ResponseBody returns an Object it will be returned as JSON.

```
public class Book {
    private String name;

    public String getName() {
        return this.name;
    }

    public void setName(String name) {
        this.name = name;
    }
}
```

and

```
@RequestMapping("/books")
@ResponseBody
public Book getBook() {
    Book book = new Book();
    book.setName("The Book of Eli.");
    return book;
}
```

### CORS - Cross-Origin-Ressource-Sharing

JS/HTML/CSS is publicly available and can be accessed from anywhere.

If the target server does not allow the request or is not the same as the server that the application is running on, the request is blocked.

CORS Support is added on the server:

```
@CrossOrigin(origins = "/**")
```

## Storing data in a database

So far all the data is only stored in the program itself. If the server is restarted, the data is lost. That's why data is normally stored in a database.

Going forward we use the [Java H2 database engine](http://www.h2database.com/html/main.html)

#### SQL Tutorial from [SQLbolt](https://sqlbolt.com/)

##### Basic SQL
```
SELECT column, another_column, …
FROM mytable
WHERE condition(s)
ORDER BY column ASC/DESC
LIMIT num_limit OFFSET num_offset;
```

##### Multi-Table

To ensure performance and reduce data duplication the data in databases is normalized.
*Tables that share information about a single entity need to have a primary key that identifies that entity uniquely across the database.*

###### Inner-Join

```
SELECT column, another_table_column, …
FROM mytable
LEFT/RIGHT/FULL/INNER JOIN another_table 
    ON mytable.id = another_table.id
WHERE condition(s)
ORDER BY column, … ASC/DESC
LIMIT num_limit OFFSET num_offset;
```

##### Complete Query

```
SELECT DISTINCT column, AGG_FUNC(column_or_expression), …
FROM mytable
    JOIN another_table
      ON mytable.column = another_table.column
    WHERE constraint_expression
    GROUP BY column
    HAVING constraint_expression
    ORDER BY column ASC/DESC
    LIMIT count OFFSET COUNT;
```

##### Manipulating data

Inserting with values for all columns:

```
INSERT INTO mytable
VALUES (value_or_expr, another_value_or_expr, …),
       (value_or_expr_2, another_value_or_expr_2, …),
       …;
```

Insert with specific columns:

```
INSERT INTO mytable
(column, another_column, …)
VALUES (value_or_expr, another_value_or_expr, …),
      (value_or_expr_2, another_value_or_expr_2, …),
      …;
```

Updating

```
UPDATE mytable
SET column = value_or_expr,
    other_column = another_value_or_expr,
    ...
WHERE condition;
```

Deleting

```
DELETE FROM mytable
WHERE condition;
```

Creating Tables

```
CREATE TABLE IF NOT EXISTS mytable (
  column *DataType* *TableConstraint* DEFAULT *defaultvalue*
  ...
);
```

Constraints:

* PRIMARY KEY - Can be used to identify (unique)
* AUTOINCREMENT - Automatically incremented with each row insertion
* UNIQUE - Is unique, but not a primary key
* NOT NULL - Inserted value can not be NULL
* CHECK (expression) - run expresssion
* FOREIGN KEY - Consistency check

Altering Tables

```
# Adding columns
ALTER TABLE mytable
ADD column *DataType* *OptionalTableConstraint*
  DEFAULT default_value;

# Removing columns
ALTER TABLE mytable
DROP column_to_be_deleted;

# Renaming
ALTER TABLE mytable
RENAME TO new_table_name;
```

Dropping Tables

```
DROP TABLE IF EXISTS mytable
```

### Java Database Connectivity API

When a program accesses a database it needs to:

1. Create a database connection
2. Execute a query on the database
3. Do something with the results of the query
4. Close the connection to the database

This code connects to the database "database" with the username "sa" and no password using JDBC:

```
// Open connection
Connection connection = DriverManager.getConnection("jdbc:h2:file:./database", "sa", "");

// Execute query and retrieve the query results
ResultSet resultSet = connection.createStatement().executeQuery("SELECT * FROM Book");

// Do something with the results -- here, we print the books
while (resultSet.next()) {
    String id = resultSet.getString("id");
    String name = resultSet.getString("name");

    System.out.println(id + "\t" + name);
}

// Close the connection
resultSet.close();
connection.close();
```

### Objects and Databases

Object-relational mapping - ORM. ORM tools offer the functionality needed to transform existing classes into database schemas and to build queries using objects.

* The JPA standard states that each class that represents a database table should be defined as an *entity*. - @Entity
* Additionally each class that represents a table should have an identifier - @Id
* Finally the class should implement a `Serializable`-Interface

The following code defines a person that would be transformed into a database table on the fly.

```
// package

import java.io.Serializable;
import javax.persistence.Entity;
import javax.persistence.GeneratedValue;
import javax.persistence.GenerationType;
import javax.persistence.Id;

@Entity
@Table(name = "Person")
public class Person implements Serializable {
    @Id
    @GeneratedValue(strategy = GenerationType.AUTO)
    @Column(name = "id")
    private long id;
    @Column(name = "name")
    private String name;

    // getters and setters
}
```

Spring provides a Sprint Data JPA superclass `AbstractPersistable` that can be inherited:

```
// package

import javax.persistence.Column;
import javax.persistence.Entity;
import javax.persistence.Table;

@Entity
@Table(name = "Person")
public class Person extends AbstractPersistable<Long>; {

    @Column(name = "name")
    private String name;

    // getters and setters
}
```

This creates and interface. With `@Autowired` we can include it in our Controller:

```
// package and imports

@Controller
public class PersonController {

    @Autowired
    private PersonRepository personRepository;

    // when a request is made to the address "/persons"
    @RequestMapping("/persons")
    public String listAll(Model model) {

        // find all persons from the database and add them to the model
        model.addAttribute("persons", personRepository.findAll());

        // then create a view from a file called "persons.html" and
        // send it as a response to the request
        return "persons";
    }

    // etc ...
}
```



### Database Transactions

Often we have to ensure that a set of queries are executed or non of them.

In Spring we can use the `@Transactional` notation to indicate that the transaction should be fulfilled entirely or not at all.

Example:

```
@Transactional
public void bankTransfer(Long fromAccount, Long toAccount, Integer amount) {
    Account from = accountRepository.findOne(fromAccount);
    Account to = accountRepository.findOne(toAccount);

    from.setBalance(from.getBalance() - amount);
    to.setBalance(to.getBalance() + amount);
}
```




### Handling Object Relations

It can happen that one Object is linking to another Object. For example Customer and Orders.

```
// package and imports

@Entity
public class Customer extends AbstractPersistable<Long> {
    // variables

    // the field customer in Order points here
    @OneToMany(mappedBy = "customer")
    private List<Order> orders = new ArrayList<>();

    // getters and setters
}

// package and imports

@Entity
public class Order extends AbstractPersistable<Long> {
    // variables

    @ManyToOne
    private Customer customer;

    // getters and setters
}
```

## The HTTP Protocol

Most widely used are the `GET` and `POST` request. But there are also [more HTTP request methods](http://www.w3schools.com/tags/ref_httpmethods.asp)

* *The GET method should be safe, that is, without any side effects for which users are held responsible. For example, most form queries have no side effects. If a client request is intended to change stored data, the request should use some other HTTP method.*

* Using the RequestMapping to identify the HTTP method `@RequestMapping(value = "/salmiakki", method = RequestMethod.GET)`

* *HTTP is a stateless protocol which means that each request that is sent to a server is processed individually, and from the point of view of the server, the requests are not linked with each others.*

![Overview of the session](/img/session.png)

*The complexity of these three components (authentication, session management, and access control) in modern web applications, plus the fact that its implementation and binding resides on the web developer's hands (as web development framework do not provide strict relationships between these modules), makes the implementation of a secure session management module very challenging.*

### Session ID Properties

To keep the session the Session ID has to be send with every HTTP Request in a `name=value` pair format.

Additionally the Session ID has to fulfill the following requirements:

1. 