CompTIASecPLUSAASS-part4 - Edited (1).pptx

Application, Data,
& Host Security
www.ine.com

Secure Web Browsing
Copyright © www.ine.com
»Securing the browser
• Choose your browser wisely
• Consider what operating system you will be using
• Firefox/Iceweasel for Linux
• Chrome for Linux/Windows/Apple
• Internet Explorer for Windows

Secure Web Browsing
• https://www.mozilla.org/security/known-
vulnerabilities
• Vulnerabilities in Firefox tend to be patched more
quickly than in IE
• IE has a bad reputation due to its performance in
prior years
• Current versions of the browser are more secure

Secure Web Browsing
• Firefox
• Do Not Track add-on allows the user to indicate a
preference about the way personal info is collected
and used online
• Privacy browsing
• Forget button

Secure Web Browsing
• Firefox
• Secure connections
– Enforce HTTPS connections
• Anti-phishing and anti-malware protection
– Trojan horse/spyware detection

Secure Web Browsing
• Common user/programmer mistakes
• Clicking on links that could redirect the user to a
malicious website or otherwise infect the system
with malware
• Web page addresses can be faked or take the user
to an unexpected site
• Functionality often overrides security concerns

Secure Web Browsing
• Zero-day vulnerabilities and attacks
• Bundling with additional, insecure software
– Tool bars
– Other add-ons

Secure Web Browsing
• Many websites require users to enable certain
features or install more software
• Increases the attack surface of the browser
• Many users do not know how to securely configure
their browser

Secure Web Browsing
»Web browser security procedures
• Create and implement policies
• Hand written
• Configured within the browser/operating
system
• Configured on a central server, such as
Group Policy Objects

Secure Web Browsing
• Types of policies
• Add-ons
• Blacklisting of websites
• Disable scripting (JavaScript/ActiveX/flash)
• Restrict file downloads
• Object caching protection
• Network protocol lockdown

Secure Web Browsing
• Train the user
• User education is implemented to change employee behavior
– Visiting malicious websites
– Downloading files
– Accessing email attachments
– Using alt-F4 to close pop-ups
– Determine whether communications are secure

Secure Web Browsing
• HTTP proxies/content filters
• Cache content
• Certain websites can be filtered or blocked
– Non-family-friendly sites
– P2P/torrent

Secure Web Browsing
• Risks of torrenting/P2P connections
• Malware infection
• Data exposure
• Increased attack surface
• Traffic increase
• Illegal activities and prosecution

Securing Other Applications
»User account control (UAC)
• Windows Vista and later operating systems
• Keeps users in standard user mode and
escalates privileges only when necessary to
perform administrative functions
• Prevents unauthorized access
• Prevents accidental changes due to user error

»Window Server Policy
• Disallow specific applications
• Blacklisting
• Length could get unmanageable
• Run only specifically approved applications
• Whitelisting
• Allow by exception, deny by default

»Application patch management
• Part of a configuration management system
• Apply the most current patches, updates, or service packs
»Mobile application security
• Disable GPS tracking within the application or on the
device itself
• Utilize strong passwords for the device and all accounts
• Periodically check for security updates

»Back-end server and database considerations
• MSSQL
• Web servers
• FTP servers
• Check for separate administrator accounts with default
passwords
• Rename default accounts
• Disable unnecessary accounts

»Back-end server and database
considerations
• Isolate servers on different systems
• Consolidating servers is good for the budget, but
negatively impacts the security posture of the
organization
• The more services the server has running, the larger the
attack surface
• Creates a single point of failure for multiple systems

Secure Programming
»Secure coding concepts
• Best practices in the development of software
• Code hardening
»Systems development lifecycle (SDLC)
• Process of planning, developing, testing,
deploying, and maintaining systems and
applications
• Various methodologies

Secure Programming
»Phases of the SDLC
• Planning and analysis
• Assess organizational needs
• Determine goals
• Accomplish any high-level planning
• Systems design
• Define and diagram in detail the system or
application

Secure Programming
• Implementation
• Write the code
• Testing
• Application or systems are thoroughly tested for
bugs, functionality, and security

Secure Programming
• Deployment
• System or application is put into production
• Maintenance
• Software is monitored for performance and
security issues
• Updates and patches are periodically made
available to remedy any issues

Secure Programming
»Secure code review
• Always consider the CIA Triad
• Confidentiality
– Allow users and processes access to data and
resources that are necessary to perform their
job functions and nothing more

Secure Programming
• Always consider the CIA Triad
• Integrity
– Data should not be tampered with or altered by
unauthorized parties or processes
• Availability
– Systems and data are accessible to authorized
users when necessary

Secure Programming
• Quality assurance procedures
• Implemented during the development and testing
phase
• Comprehensive documentation is a must!
– Increases security
– Saves time

Secure Programming
• Threat modeling
• Prioritize threats to a system or application based
on the impact
• Incorporated into the SDLC during the design,
testing, and deployment phases

Secure Programming
• Threat modeling
• Identify assets
• Identify vulnerabilities (weaknesses)
• Identify threats
• Pair threats with vulnerabilities
• Prioritize based on impact

Secure Programming
»Other security principles
• Least privilege
• Users have access only to what they need
• Processes run with the least amount of access
• Could be coupled with separation of privilege
– Access depends on more than one condition
– Based on the principle that a protection mechanism with
two locks is more secure than with only one

Secure Programming
• Defense-in-depth
• Layering of security controls provides better
security than any single control
• With coding, defense-in-depth can include input
validation, auditing, authentication techniques,
buffer overflow protection

Secure Programming
• Input validation
• All applications require some type of user input
• User input should never be trusted
• You never know who or what is giving the
application information to process
• Is the user legitimate or an attacker?

Secure Programming
• Data supplied in web forms or other input fields
• Ensures that user-supplied data is processed
correctly
• If data is not validated, any number of potential
problems can occur

Secure Programming
• Buffer overflows
• Injection attacks
• DoS attacks
• Memory leakage
• Information disclosure

Secure Programming
• Whatever data is being entered, it should not allow
the exploitation of a vulnerability
• Bad input should be rejected
• Validation should be done on the client side and on
the server side

Secure Programming
• Client-side input validation
• Done first to help users correct their mistakes
• Also helps to eliminate malicious data
• Server-side input validation
• Perform the same checks on the server to
guarantee appropriate input values

Secure Programming
• Minimize the attack surface
• As the complexity of an application grows, so does
the attack surface
• Unnecessary functions should be removed
• Use authentication or validation for necessary
functions

Secure Programming
• Establish secure defaults
• Password complexity, history, and aging
requirements should be defined by the programmer
and not the user
• Permissions should default to no access
• Permissions should be granted as needed

Secure Programming
• Fail-secure or fail-closed
• How systems or applications fail will determine
their security
• Failure exceptions can leak information useful to an
attacker
• Indicate the programming language

Secure Programming
• Properly address security issues
• Vulnerabilities should be tested and well
documented
• Patches developed and tested
• Constant monitoring of correct behavior

Secure Programming
»Testing methods
• Black-box testing
• Testers will not have any information about the
system
• Functionality is tested
• One of the most common goals is to crash the
program

Secure Programming
»Testing methods
• White-box testing
• Also known as transparent testing
• Tests the internal workings of an application
• Testers must have programming knowledge
• Testers are given detailed knowledge about the system,
diagrams, source code, and any production documentation

Secure Programming
»Testing methods
• Gray-box testing
• Tester has internal knowledge of the application or system
but conducts the test from the user level rather than from an
internal perspective

Secure Programming
»Additional testing concepts
• Sandbox
• Code runs in an isolated environment
• Used to test unverified applications for malware
and vulnerabilities
• Can also be used for other security testing

Secure Programming
• Fuzzing
• Random data is fed to the application
• Typically done with an automated program
• Program is monitored for crashes or error
messages

Secure Programming
• Fuzzing
• Issues with exception handling
• Memory leaks
• System failures

Programming Vulnerabilities & Attacks
»Backdoors
• Can be used to bypass normal authentication
and security mechanisms
• Installed by the creators of the software
• Installed by malicious parties wishing to
exploit the system

»Buffer overflows
• Programmers allocate memory for applications
• Data overflows the intended buffer space
• Can allow arbitrary code execution
• cmd.exe on Windows
• /bin/bash on *nix

»Buffer overflows
• Smashing the stack
• Data exceeds the allocated fixed-length buffer
• Results in data corruption or data overwrite
• System crash
• Arbitrary code execution

»Buffer overflows
• Spraying the heap
• Dynamically allocated memory
• Memory contains program data
• Overwrites the program function pointer
• Directs the pointer to the arbitrary code

»Integer overflow
• Arithmetic operations result in numeric values
that exceed the allocated memory space
• Creates a condition known as a wrap
• Can cause program resets and unintended
behavior
• Could also lead to a buffer overflow

»Arbitrary/remote code execution
• Attacker gains control of a system through the
exploitation of a vulnerability
• Execute commands on the system
• Escalate privilege
• Pivot the attack further into the network

• Netcat
• Reading from and writing to network connections
using TCP or UDP
• Debugging and troubleshooting tool
• Port scanner, listener, and file transfer device

• Defenses
• Update applications
• Fuzz testing
• Strong input validation
– Client and server side

»Cross-site scripting (XSS)
• Software vulnerability
• Exploited by code injection attacks
• Attacker inserts malicious code into a web page
• Attempts privilege escalation
• Cookie theft
• Session hijacking

»Cross-site scripting (XSS)
• Defenses
• Output encoding
• Disable use of HTML tags
• Strong input validation
• Disable scripts within the browser

»Cross-site request forgery
• User’s browser is compromised
• Browser transmits unauthorized commands to the web
server
• Forces an end user to execute unwanted actions on a web
application in which they are currently authenticated
• Can lead to a compromise of data or the entire web
application depending on the level of access of the user

»Cross-site request forgery
• Defenses
• Synchronizer token pattern
• Encrypted token pattern
• Challenge-response
• Double submit cookies

»Other code injection attacks
• Structured Query Language attacks
• Attack on a database
• Lightweight Directory Access Protocol (LDAP)
• Similar to SQL injection attacks
• Extensible Markup Language attacks (XML)
• Used to create new users
• Obtain administrative access

»Directory traversal attacks
• Also known as the dot-dot-slash attack (../)
• Method of accessing unauthorized or root directories
• Exploits insufficient security validation/sanitization of
user-supplied input file names, so that characters
representing "traverse to parent directory" are passed
through to the file APIs

»Directory traversal attacks
• Defenses
• Validate user input from browsers
• Filters can be used to block certain user input
• Block URLs containing commands and escape codes that are
commonly used by attackers
• Web server software should be kept up to date with current
patches

»Zero-day vulnerabilities
• Bug or hole in software that is unknown to the
vendor
• Exploited by attackers before the vendor becomes
aware or releases a patch
• Can evade purely signature-based detection until a
patch is released
• Used in targeted attacks (Stuxnet)

»Zero-day vulnerabilities
• Defenses
• Difficult to defend against
• Heuristic-based and behavior-based monitoring
• Firewalls
• Whitelisting applications

Securing the Operating System
»Hardening
• Secure configuration
• Creation of policies and rules
• Removal of unnecessary services
• Closing of unused ports
• Apply patches and hotfixes

»Removal of unnecessary services
• Services use hard drive space/CPU cycles
• Increase the attack surface
• Applications can also interfere with employee
productivity
• Instant messaging

»Removal of unnecessary services
• Enterprise options for group management
• Microsoft System Center Configuration Manager
• Allows an administrator to manage software
configurations and policies from a central
workstation

»Application whitelisting/blacklisting
• Blacklisting is a more time-consuming process
• Allow only those applications that are
necessary for the duties of the employee
• Allow only trusted applications
• Replace unsecure applications with secure
counterparts (SSH for Telnet)

»Stopping and starting services in
Windows
• net start and net stop commands
• net stop mpsscv – stops the firewall
• net start mpsscv – starts the firewall
• sc config mpssvc start=disabled

»Stopping and starting services in Linux
• Display list of services
• service -- status all
• Stopping services
• /etc/init.d/ <servicename> stop
• service <name> start/stop

»Stopping and starting services in OSX
client
• Terminal command
• Kill <service>
• Utilize the activity monitor
• Taskkill and kill
• `Windows and *Nix to kill the underlying process

»Service packs
• Microsoft updates/fixes/drivers
• SPs are numbered
• SP1, SP2
• An OS without a service pack is considered SP0
• Discover the current service pack from the Start
menu/right-click ‘Computer’ and select
‘Properties’

»Windows updates/patches/hotfixes
• Types of updates
• Critical updates and service packs
• Windows updates
• Driver updates
• User notification
• Shield icon from Windows Security Center

»Configure the system for automatic updates
• Start Menu >All Programs >Windows Update
• Click ‘Change settings’ – the third menu option
• Select ‘Install Updates Automatically’ from the
drop-down menu
• Options to set the time to avoid interrupting your
work routine

»Application patches and hotfixes
• What is a hotfix?
• Single patch for Windows to fix a running system
• Typically used without a reboot
• Definitions of hotfixes vary from vendor to
vendor
• Patch version/point release

»Patches
• Larger and more in-depth than hotfixes
• Patches might fix one issue but create others
»Patch management
• Planning
• Testing
• Implementing
• Auditing

»Hardening file systems and drives
• Examining the file system
• Chkdsk from the command prompt
• Right-click the drive in the GUI
– Select the ‘Properties’ option
– NTFS, HFS, or EXT4

»Hardening file systems and drives
• NTFS characteristics
• File-level security
• Tracking of permissions within ACLs
• Convert <volume>/FS:NTFS
• View additional options
– Convert /?

»Hardening hard disk drives (HDDs)
• Mechanical systems will experience failure at
some point
• Causes of HDD mechanical failures
• Worn-out parts
• External factors
– Natural causes
– User error/mishandling

• HDD maintenance
• Whole disk encryption
– Protects the confidentiality of information
• Create data backups
– Duplicate data whenever possible

• HDD maintenance
• Windows defragmentation
• Remove temporary files
– Utilize the ‘disk cleanup’ program
– Run at every logoff

• HDD maintenance
• Audit system files on a periodic basis
– Verify the integrity of the operating system files
– CHKDSK – Check disk finds lost files and errors

• HDD maintenance
• System file checker
– SFC at the command line
– Checks and replaces system files
– SFC /scannow

• HDD maintenance
• Linux commands
– fsck – Checks and repairs the file system
• Additional recommendations
– Create restore points within the operating
system

• Windows System Restore
• rstrui.exe
• Reverses registry changes made by software and
hardware
• Manual creation
• No Linux counterpart

»Compartmentalization
• Keep data and the operating system on separate
volumes
• OS infection will not cause a data loss
• Data infection will not affect the operating system
• Back up system settings
• If drives are not available, partitions can be
utilized

Putting It All Together
»A security approach from the physical to the
application layer
• Guarantee availability with a generator and
UPS
• Limit physical access
• Update the BIOS
• Update the operating system
• Update the AV/anti-malware/spyware

Putting It All Together
»A security approach from the physical to the
application layer
• Update the firewall
• Perform disk maintenance
• Cleanup
• Defragmentation
• Create restore points

Virtualization Technologies
»Virtual machines
• Shares hardware resources with other
applications
• Can be said to run “inside” the main operating
system
• Benefits
• Maximizes the physical resources
• Can limit malware infection
• Allows different OSs to interact with the system
hardware

»Virtual machines
• Potential issues
• Virtualization software presents a single point of
failure
• Can be resource intensive if not planned for
• Additional administration tasks

»Virtual machines
• System images can be made of mission-critical
systems
• Servers
• Critical workstations
• Creates a security template

»Virtual machines
• Types of virtual machines
• Process
– Allows for the use of a single application
• System
– Complete workstation platform

»Virtual machines
• Security benefits
• Processes have a much more difficult time crossing
software boundaries
• Malware will have a much more difficult time
spreading to other systems

»Virtual machines
• Security benefits
• Malware can infect the virtual system
– Provides a safe environment to conduct tests
– Could be considered a sheep-dip computer to
test external media as with a poisoned apple
attack

»Virtual machines
• Hypervisor
• The virtual machine software that allows multiple
virtual machines to communicate
• Allows multiple VMs to work on the same machine
• Also known as the virtual machine manager

»Virtual machines
• Types of hypervisor
• Native
– Runs directly on the host computer hardware
– AKA, “bare metal”
– No intermediary operating system

»Virtual machines
• Types of hypervisor
• Hosted
– Runs on top of an existing operating system
– Example: Vmware running on a Windows 7
machine

»Virtual machines
• Hypervisors
• Bare metal hypervisors are faster because they do
not have to compete with the host operating
system for CPU cycles
• System resources can also be adjusted more
quickly

»Virtual machines
• Securing virtual machines
• Same procedures can be used as when securing a
physical machine operating system
• Update with the most current service pack
• Ensure patch compatibility
• Newest AV definition file

CompTIASecPLUSAASS-part4 - Edited (1).pptx

Recommended

Recommended

More Related Content

Similar to CompTIASecPLUSAASS-part4 - Edited (1).pptx

Similar to CompTIASecPLUSAASS-part4 - Edited (1).pptx (20)

Recently uploaded

Recently uploaded (20)

CompTIASecPLUSAASS-part4 - Edited (1).pptx