More Related Content
Similar to CompTIASecPLUSAASS-part4 - Edited (1).pptx
Similar to CompTIASecPLUSAASS-part4 - Edited (1).pptx (20)
CompTIASecPLUSAASS-part4 - Edited (1).pptx
- 2. Secure Web Browsing
Copyright © www.ine.com
»Securing the browser
• Choose your browser wisely
• Consider what operating system you will be using
• Firefox/Iceweasel for Linux
• Chrome for Linux/Windows/Apple
• Internet Explorer for Windows
- 3. Secure Web Browsing
Copyright © www.ine.com
»Securing the browser
• https://www.mozilla.org/security/known-
vulnerabilities
• Vulnerabilities in Firefox tend to be patched more
quickly than in IE
• IE has a bad reputation due to its performance in
prior years
• Current versions of the browser are more secure
- 4. Secure Web Browsing
Copyright © www.ine.com
»Securing the browser
• Firefox
• Do Not Track add-on allows the user to indicate a
preference about the way personal info is collected
and used online
• Privacy browsing
• Forget button
- 5. Secure Web Browsing
Copyright © www.ine.com
»Securing the browser
• Firefox
• Secure connections
– Enforce HTTPS connections
• Anti-phishing and anti-malware protection
– Trojan horse/spyware detection
- 6. Secure Web Browsing
Copyright © www.ine.com
»Securing the browser
• Common user/programmer mistakes
• Clicking on links that could redirect the user to a
malicious website or otherwise infect the system
with malware
• Web page addresses can be faked or take the user
to an unexpected site
• Functionality often overrides security concerns
- 7. Secure Web Browsing
Copyright © www.ine.com
»Securing the browser
• Common user/programmer mistakes
• Zero-day vulnerabilities and attacks
• Bundling with additional, insecure software
– Tool bars
– Other add-ons
- 8. Secure Web Browsing
Copyright © www.ine.com
»Securing the browser
• Common user/programmer mistakes
• Many websites require users to enable certain
features or install more software
• Increases the attack surface of the browser
• Many users do not know how to securely configure
their browser
- 9. Secure Web Browsing
Copyright © www.ine.com
»Web browser security procedures
• Create and implement policies
• Hand written
• Configured within the browser/operating
system
• Configured on a central server, such as
Group Policy Objects
- 10. Secure Web Browsing
Copyright © www.ine.com
»Web browser security procedures
• Types of policies
• Add-ons
• Blacklisting of websites
• Disable scripting (JavaScript/ActiveX/flash)
• Restrict file downloads
• Object caching protection
• Network protocol lockdown
- 11. Secure Web Browsing
Copyright © www.ine.com
»Web browser security procedures
• Train the user
• User education is implemented to change employee behavior
– Visiting malicious websites
– Downloading files
– Accessing email attachments
– Using alt-F4 to close pop-ups
– Determine whether communications are secure
- 12. Secure Web Browsing
Copyright © www.ine.com
»Web browser security procedures
• HTTP proxies/content filters
• Cache content
• Certain websites can be filtered or blocked
– Non-family-friendly sites
– P2P/torrent
- 13. Secure Web Browsing
Copyright © www.ine.com
»Web browser security procedures
• Risks of torrenting/P2P connections
• Malware infection
• Data exposure
• Increased attack surface
• Traffic increase
• Illegal activities and prosecution
- 14. Securing Other Applications
Copyright © www.ine.com
»User account control (UAC)
• Windows Vista and later operating systems
• Keeps users in standard user mode and
escalates privileges only when necessary to
perform administrative functions
• Prevents unauthorized access
• Prevents accidental changes due to user error
- 15. Securing Other Applications
Copyright © www.ine.com
»Window Server Policy
• Disallow specific applications
• Blacklisting
• Length could get unmanageable
• Run only specifically approved applications
• Whitelisting
• Allow by exception, deny by default
- 16. Securing Other Applications
Copyright © www.ine.com
»Application patch management
• Part of a configuration management system
• Apply the most current patches, updates, or service packs
»Mobile application security
• Disable GPS tracking within the application or on the
device itself
• Utilize strong passwords for the device and all accounts
• Periodically check for security updates
- 17. Securing Other Applications
Copyright © www.ine.com
»Back-end server and database considerations
• MSSQL
• Web servers
• FTP servers
• Check for separate administrator accounts with default
passwords
• Rename default accounts
• Disable unnecessary accounts
- 18. Securing Other Applications
Copyright © www.ine.com
»Back-end server and database
considerations
• Isolate servers on different systems
• Consolidating servers is good for the budget, but
negatively impacts the security posture of the
organization
• The more services the server has running, the larger the
attack surface
• Creates a single point of failure for multiple systems
- 19. Secure Programming
Copyright © www.ine.com
»Secure coding concepts
• Best practices in the development of software
• Code hardening
»Systems development lifecycle (SDLC)
• Process of planning, developing, testing,
deploying, and maintaining systems and
applications
• Various methodologies
- 20. Secure Programming
Copyright © www.ine.com
»Phases of the SDLC
• Planning and analysis
• Assess organizational needs
• Determine goals
• Accomplish any high-level planning
• Systems design
• Define and diagram in detail the system or
application
- 21. Secure Programming
Copyright © www.ine.com
»Phases of the SDLC
• Implementation
• Write the code
• Testing
• Application or systems are thoroughly tested for
bugs, functionality, and security
- 22. Secure Programming
Copyright © www.ine.com
»Phases of the SDLC
• Deployment
• System or application is put into production
• Maintenance
• Software is monitored for performance and
security issues
• Updates and patches are periodically made
available to remedy any issues
- 23. Secure Programming
Copyright © www.ine.com
»Secure code review
• Always consider the CIA Triad
• Confidentiality
– Allow users and processes access to data and
resources that are necessary to perform their
job functions and nothing more
- 24. Secure Programming
Copyright © www.ine.com
»Secure code review
• Always consider the CIA Triad
• Integrity
– Data should not be tampered with or altered by
unauthorized parties or processes
• Availability
– Systems and data are accessible to authorized
users when necessary
- 25. Secure Programming
Copyright © www.ine.com
»Secure code review
• Quality assurance procedures
• Implemented during the development and testing
phase
• Comprehensive documentation is a must!
– Increases security
– Saves time
- 26. Secure Programming
Copyright © www.ine.com
»Secure code review
• Threat modeling
• Prioritize threats to a system or application based
on the impact
• Incorporated into the SDLC during the design,
testing, and deployment phases
- 27. Secure Programming
Copyright © www.ine.com
»Secure code review
• Threat modeling
• Identify assets
• Identify vulnerabilities (weaknesses)
• Identify threats
• Pair threats with vulnerabilities
• Prioritize based on impact
- 28. Secure Programming
Copyright © www.ine.com
»Other security principles
• Least privilege
• Users have access only to what they need
• Processes run with the least amount of access
• Could be coupled with separation of privilege
– Access depends on more than one condition
– Based on the principle that a protection mechanism with
two locks is more secure than with only one
- 29. Secure Programming
Copyright © www.ine.com
»Other security principles
• Defense-in-depth
• Layering of security controls provides better
security than any single control
• With coding, defense-in-depth can include input
validation, auditing, authentication techniques,
buffer overflow protection
- 30. Secure Programming
Copyright © www.ine.com
»Other security principles
• Input validation
• All applications require some type of user input
• User input should never be trusted
• You never know who or what is giving the
application information to process
• Is the user legitimate or an attacker?
- 31. Secure Programming
Copyright © www.ine.com
»Other security principles
• Input validation
• Data supplied in web forms or other input fields
• Ensures that user-supplied data is processed
correctly
• If data is not validated, any number of potential
problems can occur
- 32. Secure Programming
Copyright © www.ine.com
»Other security principles
• Input validation
• Buffer overflows
• Injection attacks
• DoS attacks
• Memory leakage
• Information disclosure
- 33. Secure Programming
Copyright © www.ine.com
»Other security principles
• Input validation
• Whatever data is being entered, it should not allow
the exploitation of a vulnerability
• Bad input should be rejected
• Validation should be done on the client side and on
the server side
- 34. Secure Programming
Copyright © www.ine.com
»Other security principles
• Client-side input validation
• Done first to help users correct their mistakes
• Also helps to eliminate malicious data
• Server-side input validation
• Perform the same checks on the server to
guarantee appropriate input values
- 35. Secure Programming
Copyright © www.ine.com
»Other security principles
• Minimize the attack surface
• As the complexity of an application grows, so does
the attack surface
• Unnecessary functions should be removed
• Use authentication or validation for necessary
functions
- 36. Secure Programming
Copyright © www.ine.com
»Other security principles
• Establish secure defaults
• Password complexity, history, and aging
requirements should be defined by the programmer
and not the user
• Permissions should default to no access
• Permissions should be granted as needed
- 37. Secure Programming
Copyright © www.ine.com
»Other security principles
• Fail-secure or fail-closed
• How systems or applications fail will determine
their security
• Failure exceptions can leak information useful to an
attacker
• Indicate the programming language
- 38. Secure Programming
Copyright © www.ine.com
»Other security principles
• Properly address security issues
• Vulnerabilities should be tested and well
documented
• Patches developed and tested
• Constant monitoring of correct behavior
- 39. Secure Programming
Copyright © www.ine.com
»Testing methods
• Black-box testing
• Testers will not have any information about the
system
• Functionality is tested
• One of the most common goals is to crash the
program
- 40. Secure Programming
Copyright © www.ine.com
»Testing methods
• White-box testing
• Also known as transparent testing
• Tests the internal workings of an application
• Testers must have programming knowledge
• Testers are given detailed knowledge about the system,
diagrams, source code, and any production documentation
- 41. Secure Programming
Copyright © www.ine.com
»Testing methods
• Gray-box testing
• Tester has internal knowledge of the application or system
but conducts the test from the user level rather than from an
internal perspective
- 42. Secure Programming
Copyright © www.ine.com
»Additional testing concepts
• Sandbox
• Code runs in an isolated environment
• Used to test unverified applications for malware
and vulnerabilities
• Can also be used for other security testing
- 43. Secure Programming
Copyright © www.ine.com
»Additional testing concepts
• Fuzzing
• Random data is fed to the application
• Typically done with an automated program
• Program is monitored for crashes or error
messages
- 44. Secure Programming
Copyright © www.ine.com
»Additional testing concepts
• Fuzzing
• Issues with exception handling
• Memory leaks
• System failures
- 45. Programming Vulnerabilities & Attacks
Copyright © www.ine.com
»Backdoors
• Can be used to bypass normal authentication
and security mechanisms
• Installed by the creators of the software
• Installed by malicious parties wishing to
exploit the system
- 46. Programming Vulnerabilities & Attacks
Copyright © www.ine.com
»Buffer overflows
• Programmers allocate memory for applications
• Data overflows the intended buffer space
• Can allow arbitrary code execution
• cmd.exe on Windows
• /bin/bash on *nix
- 47. Programming Vulnerabilities & Attacks
Copyright © www.ine.com
»Buffer overflows
• Smashing the stack
• Data exceeds the allocated fixed-length buffer
• Results in data corruption or data overwrite
• System crash
• Arbitrary code execution
- 48. Programming Vulnerabilities & Attacks
Copyright © www.ine.com
»Buffer overflows
• Spraying the heap
• Dynamically allocated memory
• Memory contains program data
• Overwrites the program function pointer
• Directs the pointer to the arbitrary code
- 49. Programming Vulnerabilities & Attacks
Copyright © www.ine.com
»Integer overflow
• Arithmetic operations result in numeric values
that exceed the allocated memory space
• Creates a condition known as a wrap
• Can cause program resets and unintended
behavior
• Could also lead to a buffer overflow
- 50. Programming Vulnerabilities & Attacks
Copyright © www.ine.com
»Arbitrary/remote code execution
• Attacker gains control of a system through the
exploitation of a vulnerability
• Execute commands on the system
• Escalate privilege
• Pivot the attack further into the network
- 51. Programming Vulnerabilities & Attacks
Copyright © www.ine.com
»Arbitrary/remote code execution
• Netcat
• Reading from and writing to network connections
using TCP or UDP
• Debugging and troubleshooting tool
• Port scanner, listener, and file transfer device
- 52. Programming Vulnerabilities & Attacks
Copyright © www.ine.com
»Arbitrary/remote code execution
• Defenses
• Update applications
• Fuzz testing
• Strong input validation
– Client and server side
- 53. Programming Vulnerabilities & Attacks
Copyright © www.ine.com
»Cross-site scripting (XSS)
• Software vulnerability
• Exploited by code injection attacks
• Attacker inserts malicious code into a web page
• Attempts privilege escalation
• Cookie theft
• Session hijacking
- 54. Programming Vulnerabilities & Attacks
Copyright © www.ine.com
»Cross-site scripting (XSS)
• Defenses
• Output encoding
• Disable use of HTML tags
• Strong input validation
• Disable scripts within the browser
- 55. Programming Vulnerabilities & Attacks
Copyright © www.ine.com
»Cross-site request forgery
• User’s browser is compromised
• Browser transmits unauthorized commands to the web
server
• Forces an end user to execute unwanted actions on a web
application in which they are currently authenticated
• Can lead to a compromise of data or the entire web
application depending on the level of access of the user
- 56. Programming Vulnerabilities & Attacks
Copyright © www.ine.com
»Cross-site request forgery
• Defenses
• Synchronizer token pattern
• Encrypted token pattern
• Challenge-response
• Double submit cookies
- 57. Programming Vulnerabilities & Attacks
Copyright © www.ine.com
»Other code injection attacks
• Structured Query Language attacks
• Attack on a database
• Lightweight Directory Access Protocol (LDAP)
• Similar to SQL injection attacks
• Extensible Markup Language attacks (XML)
• Used to create new users
• Obtain administrative access
- 58. Programming Vulnerabilities & Attacks
Copyright © www.ine.com
»Directory traversal attacks
• Also known as the dot-dot-slash attack (../)
• Method of accessing unauthorized or root directories
• Exploits insufficient security validation/sanitization of
user-supplied input file names, so that characters
representing "traverse to parent directory" are passed
through to the file APIs
- 59. Programming Vulnerabilities & Attacks
Copyright © www.ine.com
»Directory traversal attacks
• Defenses
• Validate user input from browsers
• Filters can be used to block certain user input
• Block URLs containing commands and escape codes that are
commonly used by attackers
• Web server software should be kept up to date with current
patches
- 60. Programming Vulnerabilities & Attacks
Copyright © www.ine.com
»Zero-day vulnerabilities
• Bug or hole in software that is unknown to the
vendor
• Exploited by attackers before the vendor becomes
aware or releases a patch
• Can evade purely signature-based detection until a
patch is released
• Used in targeted attacks (Stuxnet)
- 61. Programming Vulnerabilities & Attacks
Copyright © www.ine.com
»Zero-day vulnerabilities
• Defenses
• Difficult to defend against
• Heuristic-based and behavior-based monitoring
• Firewalls
• Whitelisting applications
- 62. Securing the Operating System
Copyright © www.ine.com
»Hardening
• Secure configuration
• Creation of policies and rules
• Removal of unnecessary services
• Closing of unused ports
• Apply patches and hotfixes
- 63. Securing the Operating System
Copyright © www.ine.com
»Removal of unnecessary services
• Services use hard drive space/CPU cycles
• Increase the attack surface
• Applications can also interfere with employee
productivity
• Instant messaging
- 64. Securing the Operating System
Copyright © www.ine.com
»Removal of unnecessary services
• Enterprise options for group management
• Microsoft System Center Configuration Manager
• Allows an administrator to manage software
configurations and policies from a central
workstation
- 65. Securing the Operating System
Copyright © www.ine.com
»Application whitelisting/blacklisting
• Blacklisting is a more time-consuming process
• Allow only those applications that are
necessary for the duties of the employee
• Allow only trusted applications
• Replace unsecure applications with secure
counterparts (SSH for Telnet)
- 66. Securing the Operating System
Copyright © www.ine.com
»Stopping and starting services in
Windows
• net start and net stop commands
• net stop mpsscv – stops the firewall
• net start mpsscv – starts the firewall
• sc config mpssvc start=disabled
- 67. Securing the Operating System
Copyright © www.ine.com
»Stopping and starting services in Linux
• Display list of services
• service -- status all
• Stopping services
• /etc/init.d/ <servicename> stop
• service <name> start/stop
- 68. Securing the Operating System
Copyright © www.ine.com
»Stopping and starting services in OSX
client
• Terminal command
• Kill <service>
• Utilize the activity monitor
• Taskkill and kill
• `Windows and *Nix to kill the underlying process
- 69. Securing the Operating System
Copyright © www.ine.com
»Service packs
• Microsoft updates/fixes/drivers
• SPs are numbered
• SP1, SP2
• An OS without a service pack is considered SP0
• Discover the current service pack from the Start
menu/right-click ‘Computer’ and select
‘Properties’
- 70. Securing the Operating System
Copyright © www.ine.com
»Windows updates/patches/hotfixes
• Types of updates
• Critical updates and service packs
• Windows updates
• Driver updates
• User notification
• Shield icon from Windows Security Center
- 71. Securing the Operating System
Copyright © www.ine.com
»Configure the system for automatic updates
• Start Menu >All Programs >Windows Update
• Click ‘Change settings’ – the third menu option
• Select ‘Install Updates Automatically’ from the
drop-down menu
• Options to set the time to avoid interrupting your
work routine
- 72. Securing the Operating System
Copyright © www.ine.com
»Application patches and hotfixes
• What is a hotfix?
• Single patch for Windows to fix a running system
• Typically used without a reboot
• Definitions of hotfixes vary from vendor to
vendor
• Patch version/point release
- 73. Securing the Operating System
Copyright © www.ine.com
»Patches
• Larger and more in-depth than hotfixes
• Patches might fix one issue but create others
»Patch management
• Planning
• Testing
• Implementing
• Auditing
- 74. Securing the Operating System
Copyright © www.ine.com
»Hardening file systems and drives
• Examining the file system
• Chkdsk from the command prompt
• Right-click the drive in the GUI
– Select the ‘Properties’ option
– NTFS, HFS, or EXT4
- 75. Securing the Operating System
Copyright © www.ine.com
»Hardening file systems and drives
• NTFS characteristics
• File-level security
• Tracking of permissions within ACLs
• Convert <volume>/FS:NTFS
• View additional options
– Convert /?
- 76. Securing the Operating System
Copyright © www.ine.com
»Hardening hard disk drives (HDDs)
• Mechanical systems will experience failure at
some point
• Causes of HDD mechanical failures
• Worn-out parts
• External factors
– Natural causes
– User error/mishandling
- 77. Securing the Operating System
Copyright © www.ine.com
»Hardening hard disk drives (HDDs)
• HDD maintenance
• Whole disk encryption
– Protects the confidentiality of information
• Create data backups
– Duplicate data whenever possible
- 78. Securing the Operating System
Copyright © www.ine.com
»Hardening hard disk drives (HDDs)
• HDD maintenance
• Windows defragmentation
• Remove temporary files
– Utilize the ‘disk cleanup’ program
– Run at every logoff
- 79. Securing the Operating System
Copyright © www.ine.com
»Hardening hard disk drives (HDDs)
• HDD maintenance
• Audit system files on a periodic basis
– Verify the integrity of the operating system files
– CHKDSK – Check disk finds lost files and errors
- 80. Securing the Operating System
Copyright © www.ine.com
»Hardening hard disk drives (HDDs)
• HDD maintenance
• System file checker
– SFC at the command line
– Checks and replaces system files
– SFC /scannow
- 81. Securing the Operating System
Copyright © www.ine.com
»Hardening hard disk drives (HDDs)
• HDD maintenance
• Linux commands
– fsck – Checks and repairs the file system
• Additional recommendations
– Create restore points within the operating
system
- 82. Securing the Operating System
Copyright © www.ine.com
»Hardening hard disk drives (HDDs)
• Windows System Restore
• rstrui.exe
• Reverses registry changes made by software and
hardware
• Manual creation
• No Linux counterpart
- 83. Securing the Operating System
Copyright © www.ine.com
»Compartmentalization
• Keep data and the operating system on separate
volumes
• OS infection will not cause a data loss
• Data infection will not affect the operating system
• Back up system settings
• If drives are not available, partitions can be
utilized
- 84. Putting It All Together
Copyright © www.ine.com
»A security approach from the physical to the
application layer
• Guarantee availability with a generator and
UPS
• Limit physical access
• Update the BIOS
• Update the operating system
• Update the AV/anti-malware/spyware
- 85. Putting It All Together
Copyright © www.ine.com
»A security approach from the physical to the
application layer
• Update the firewall
• Perform disk maintenance
• Cleanup
• Defragmentation
• Create restore points
- 86. Virtualization Technologies
Copyright © www.ine.com
»Virtual machines
• Shares hardware resources with other
applications
• Can be said to run “inside” the main operating
system
• Benefits
• Maximizes the physical resources
• Can limit malware infection
• Allows different OSs to interact with the system
hardware
- 87. Virtualization Technologies
Copyright © www.ine.com
»Virtual machines
• Potential issues
• Virtualization software presents a single point of
failure
• Can be resource intensive if not planned for
• Additional administration tasks
- 89. Virtualization Technologies
Copyright © www.ine.com
»Virtual machines
• Types of virtual machines
• Process
– Allows for the use of a single application
• System
– Complete workstation platform
- 90. Virtualization Technologies
Copyright © www.ine.com
»Virtual machines
• Security benefits
• Processes have a much more difficult time crossing
software boundaries
• Malware will have a much more difficult time
spreading to other systems
- 91. Virtualization Technologies
Copyright © www.ine.com
»Virtual machines
• Security benefits
• Malware can infect the virtual system
– Provides a safe environment to conduct tests
– Could be considered a sheep-dip computer to
test external media as with a poisoned apple
attack
- 92. Virtualization Technologies
Copyright © www.ine.com
»Virtual machines
• Hypervisor
• The virtual machine software that allows multiple
virtual machines to communicate
• Allows multiple VMs to work on the same machine
• Also known as the virtual machine manager
- 93. Virtualization Technologies
Copyright © www.ine.com
»Virtual machines
• Types of hypervisor
• Native
– Runs directly on the host computer hardware
– AKA, “bare metal”
– No intermediary operating system
- 94. Virtualization Technologies
Copyright © www.ine.com
»Virtual machines
• Types of hypervisor
• Hosted
– Runs on top of an existing operating system
– Example: Vmware running on a Windows 7
machine
- 95. Virtualization Technologies
Copyright © www.ine.com
»Virtual machines
• Hypervisors
• Bare metal hypervisors are faster because they do
not have to compete with the host operating
system for CPU cycles
• System resources can also be adjusted more
quickly
- 96. Virtualization Technologies
Copyright © www.ine.com
»Virtual machines
• Securing virtual machines
• Same procedures can be used as when securing a
physical machine operating system
• Update with the most current service pack
• Ensure patch compatibility
• Newest AV definition file